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INFORMATION SECURITY 


WEDNESDAY, SEPTEMBER 23, 1998 

U.S. Senate, 

Committee on Governmental Ai'fairs, 

Washington, DC. 

The Committee met, pursuant to notice, at 10:03 a.m., in room 
SD-342, Dirksen Senate Office Building, Hon. Fred Thompson, 
Chairman of the Committee, presiding. 

Present: Senators Thompson, Collins, and Lieberman. 

OPENING STATEMENT OF CHAIRMAN THOMPSON 

Chairman THOMPSON. The Committee will come to order, please. 

The Governmental Affairs Committee today is holding the third 
in a series of hearings on the security of Federal computer systems. 
Today’s hearing will focus on the security of the private and sen¬ 
sitive information about each American that is kept on our govern¬ 
ment’s computers. We will specifically look into the computer secu¬ 
rity problems at the Department of Veterans Affairs and the Social 
Security Administration. 

Government computers must protect national security and the 
public’s private and sensitive information from unauthorized disclo¬ 
sure. During our prior hearings, we focused on the fact that the use 
of information technologies as a tool of warfare and terror is becom¬ 
ing increasingly likely. No less important is the question of wheth¬ 
er our government computers that hold the American people’s sen¬ 
sitive and private information are secure. 

The Social Security Administration computer system contains 
personal information on virtually every working American. If the 
Social Security Administration’s computer system is compromised, 
the information about every single one of us in this room is avail¬ 
able for the picking. 

Equally, computer systems at the VA hold information that is 
vital to the health and welfare of our 25 million veterans. Sensitive 
information, such as veterans’ medical records, home address, and 
benefit payments, must be protected. Knowing the medical history 
and home address of one of our Nation’s military heroes is inforrna- 
tion that a dedicated enemy to the United States could exploit with 
substantial consequences. 

But it is not just the heroes and celebrities that need to be pro¬ 
tected. The Committee reports regarding identity theft and credit 
card fraud are examples of the fact that protections must be af¬ 
forded to the average citizen. GAO has identified information secu¬ 
rity as one of the highest risk areas facing our government today. 

(1) 
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GAO concludes that Federal agency computer systems are not 
being adequately protected, despite their sensitivity and criticality. 

In the past 5 years, GAO has issued over 30 reports describing 
serious security weaknesses in major agency computer systems. 
The increased linkage of government computers, combined with 
poor security management, puts billions of dollars of Federal assets 
at risk of loss. In addition, vast amounts of sensitive data main¬ 
tained by Federal agencies is at risk of unauthorized disclosure. 
Agencies’ growing reliance on computer systems and electronic 
records has raised the specter that critical Federal operations are 
vulnerable to serious disruption. 

Today, at the request of the Committee, the GAO will issue re¬ 
ports that raise serious concerns about risk to the public resulting 
from information security weaknesses. Gene Dodaro, Assistant 
Comptroller General, will testify on those reports and other find¬ 
ings of the GAO. The GAO cannot present their findings in their 
entirety because of the potential vulnerabilities they found, but has 
been able, with the cooperation of the agencies, to testify to many 
of the problems they uncovered at the VA and the Social Security 
Administration. 

Using techniques widely available on the Internet, GAO tests 
show that the computer systems of both the VA and SSA are highly 
vulnerable. The VA operates the largest health care delivery sys¬ 
tem in the United States and guarantees loans on about 20 percent 
of the homes in our country. By gaining the level of access dem¬ 
onstrated by the GAO, sensitive information contained ip the VA 
system, including financial data, personal information on veterans’ 
medical records, and benefits payments, is vulnerable to being al¬ 
tered, improperly disclosed, or destroyed by outside hackers. The 
most disturbing fact is that GAO’s penetration went undetected be¬ 
cause the VA does not even have a monitoring system. 

GAO also found that valuable personah information stored at the 
Social Security Administration is at risk. GAO’s penetration of the 
SSA exposed vulnerabilities in the administration’s computer sys¬ 
tem to both external and internal intrusions. These types of weak¬ 
nesses place at risk the American people’s most private informa¬ 
tion, their Social Security numbers, earnings, disabilities, and ben¬ 
efits. 

While it is very important to protect our government computers 
from outside hackers who break into our computers through high- 
tech doors, we must also look at the internal users of our comput¬ 
ers. Experts say that most computer crime is committed by employ¬ 
ees authorized to use the system. 

To illustrate examples of this, James Huse, the SSA’s Acting In¬ 
spector General, will testify, along with Ed Ryan, the Special Agent 
in Charge of the IG’s New York Field Office. He will speak about 
computer crimes that SSA employees committed and how they 
were able to catch them. 

For example, in what computer experts say may have been one 
of the biggest breaches of security of personal data held by the Fed¬ 
eral Government, several employees of the SSA passed information, 
including Social Security numbers, date of birth, and mother’s 
maiden name, on thousands of people to a West African credit card 
fraud ring. Using this information, the crime S 3 midicate was able to 
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activate thousands and thousands of stolen credit cards, stealing by 
a conservative estimate at least $70 million. Not only was a tre¬ 
mendous amount of money stolen, but each person whose informa¬ 
tion had been stolen from the SSA had to personally deal with this 
theft. Mr. Huse will explain how they were able to uncover the 
crime and what SSA is doing to prevent this from happening again. 

Another example of insider computer crime is what is being 
called virtual murder. Each and every one of us uses our Social Se¬ 
curity numbers in our daily lives. It is something we take for 
granted until something goes wrong. Imagine if you went into your 
bank to open a new account and the branch manager said, “Mr. 
Jones, I am sorry. I cannot open a new account for you because our 
records show that you are dead.” That is exactly what happened to 
a woman in Florida who was informed by a bank official that she 
was dead. It turns out that she had been communicating on an 
Internet chat room with a gentleman who worked for the Social Se¬ 
curity Administration. They had a disagreement and he entered a 
death notice for her into the official SSA database record. We will 
also hear about many other ways employees who have used the So¬ 
cial Security Administration’s computer system to commit crimes. 

The final panel will be comprised of witnesses from the Social Se¬ 
curity Administration and the VA who will comment on GAO’s 
findings and the state of information security within their agencies. 
They will testify about the programs they are instituting and the 
steps that they are taking to protect their valuable private and sen¬ 
sitive information. 

I will call on my other colleagues for any statements they might 
make. 

Senator Collins. 

OPENING STATEMENT OF SENATOR COLLINS 

Senator Collins. Thank you very much, Mr. Chairman. I first 
want to express my appreciation for your convening this hearing on 
this very important issue. In this age of the Internet and the com¬ 
puterization of almost every record keeping function of government, 
computer security is a topic of utmost importance to virtually every 
American. 

While many people tend to think of computer hackers as posing 
particular dangers to national security through their efforts to 
break into classified databases and computer systems, the com¬ 
puter security threat most likely to affect the health and livelihood 
of ordinary American citizens probably has much more to do with 
unclassified but private and confidential information held in ordi¬ 
nary databases throughout the government and in the private sec¬ 
tor. 

The Committee’s hearing today will focus on just this sort of 
threat, taking as its case studies the danger of theft or the unau¬ 
thorized alteration of private information about millions of Ameri¬ 
cans that is stored in computer archives and databases at the Vet¬ 
erans Administration and the Social Security Administration. 
These two agencies are, of course, vital parts of the social safety 
net that we provide for our citizens, for veterans who have served 
their country and for senior citizens who depend upon the SSA for 
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their Social Security benefits. Protecting these citizens from fraud 
and other abuses thus has a special urgency. 

Crucially, however, as we will hear today, the VA and the SSA 
computer systems contain vast amounts of information about 
American citizens, from Social Security numbers to mortgage 
records, from benefit records to the most basic and private of 
health records. 

All Americans, and especially veterans and elderly citizens, thus 
depend upon the VA and the SSA to have computer security sys¬ 
tems capable of ensuring that this information does not fall into 
the hands of criminals or information vandals intent upon fraud or 
other mischief. Our hearing today will address what steps need to 
be taken in order to fulfill the government’s obligation to provide 
this information security. 

In addition to the well-known threat from outside hackers, more¬ 
over, I am pleased that this hearing will also deal with the signifi¬ 
cant danger of data theft by insiders, be they disgruntled employ¬ 
ees, vengeful settlers of scores, or simply unscrupulous individuals 
who take advantage of their access to VA or SSA computer systems 
to engage in or facilitate various types of fraud. The insider threat 
is significantly different in some ways from that posed by outsiders, 
and our computer security systems need to take this fact into ac¬ 
count. 

These are, as I have noted, very important issues. However, they 
are not new issues. Particularly with regard to the Veterans Ad¬ 
ministration, many of these computer security vulnerabilities have 
been known for years and nothing has been done. This is very dis¬ 
turbing and it is why the leadership of our Chairman and Congres¬ 
sional efforts to draw attention to these matters is so crucial to the 
financial security and health of American veterans and our elderly. 

The GAO has undertaken a searching inquiry into computer se¬ 
curity at these two agencies, a study that included penetration test¬ 
ing, that is controlled break-ins to computer systems by benign 
hackers employed by the GAO. The study has done an admirable, 
though perhaps frightening, job of identifying key weaknesses. 

It is my hope that by virtue of this Committee’s attention, the 
VA and the SSA will be able to direct the necessary attention and 
resources to these weaknesses. In addition, it is my hope that in 
solving these problems at these two agencies, we will all be able 
to learn important lessons about how to handle computer security 
elsewhere in the Federal Government, and that Congress and the 
Executive Branch will together be able to ensure that such prob¬ 
lems do not continue or arise again. Americans should not have to 
fear that confidential, private information entrusted to government 
agencies is vulnerable to unauthorized access and improper disclo¬ 
sure. 

Again, Mr. Chairman, I thank you for holding this important 
hearing. 

Chairman THOMPSON. Thank you very much. 

Senator Lieberman. 

OPENING STATEMENT OF SENATOR LIEBERMAN 

Senator Lieberman. Thanks, Mr. Chairman. Very briefly, let me 
join in thanking you for this series of hearings. These hearings 
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have been a real education for me personally, and I think they are 
doing a great service for our country. 

I must say that I have been fascinated by what I have learned, 
but I have also been very discomforted by it. We are all accustomed 
to thinking about computers and the information revolution we 
have had over the past couple of decades as good and exciting de¬ 
velopments, and, of course, they are. But as we have learned from 
the earlier hearings in this series, there is a vulnerable side to the 
cyber revolution, one that comes from the fact that we have been 
far quicker to take advantage of the benefits computers and net¬ 
works offer and to become extraordinarily dependent on those net¬ 
works before we have acknowledged and taken action to protect 
against the risks that dependency brings. 

In our first hearing on the topic, as has been mentioned, we 
learned that the same advances that have made our power systems 
more stable, our transportation more efficient, and our information 
more accessible have left us very vulnerable to wider-scale disrup¬ 
tions of our infrastructure than was ever before possible. 

In our second hearing, we learned something that in many ways 
was more disturbing, which is that our defense systems and our 
national security itself are subject to enormous threats as a result 
of our dependence on computers and the weak security, relatively 
speaking, that we have now for them. 

Today, we are exploring a new aspect of this new world, which 
is the way in which the government’s increasing automation of its 
information systems has left our most personal information vulner¬ 
able to exposure and exploitation. Government computers store 
troves of information, like medical records and wage and other per¬ 
sonal income information, that are of great interest to voyeurs and 
of great value to the criminally inclined. 

I must say that I was unsettled when I read the background ma¬ 
terial for today’s hearing to learn how much we may have to do to 
provide truly adequate protection for all of this information because 
of how far the voyeurs and brokers and hackers are prepared to go 
to obtain that information. 

Mr. Chairman, again, I truly appreciate your holding these hear¬ 
ings. I think they are illuminating the unfortunate dark side of our 
otherwise bright entry into cyberspace. I look forward to hearing 
these witnesses today and to hearing from them particularly how 
we can better protect ourselves from the threat posed by the prob¬ 
lems they will describe. Thank you. 

Chairman Thompson. Thank you very much. 

I would like to recognize our first panel, James Huse, Acting In¬ 
spector General of the Social Security Administration, and Edward 
Ryan, Special Agent in Charge, New York Field Office of the In¬ 
spector General, Social Security Administration. 

Gentlemen, welcome. Thank you for being with us. Do you have 
any preliminary statements that you would like to make? 
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STATEMENT OF JAMES G. HUSE, JR.,» ACTING INSPECTOR 
GENERAL, SOCIAL SECURITY ADMINISTRATION, ACCOM¬ 
PANIED BY EDWARD RYAN, SPECIAL AGENT IN CHARGE, 
NEW YORK FIELD OFFICE, OFFICE OF THE INSPECTOR GEN- 
ERAL, SOCIAL SECURITY ADMINISTRATION, AND PAMELA 
GARDINER, ASSISTANT INSPECTOR GENERAL FOR AUDIT, 
SOCIAL SECURITY ADMINISTRATION 

Mr. Huse. Yes, sir. Mr. Chairman and Members of the Commit¬ 
tee, thank you for inviting me to appear today to discuss system 
security weaknesses and employees who took advantage of those 
weaknesses to commit fraudulent activities at the Social Security 
Administration. 

Identifying, investigating, and prosecuting SSA employees who 
inappropriately or criminally misuse their access to electronic 
records systems to commit program fraud is our No. 1 priority. We 
recognize that system security is a very important and very pri¬ 
mary mission for the Social Security Inspector General’s Office, as 
well as for Social Security itself. We all take this issue seriously. 
Because of our cooperative relationship with SSA, we are able to 
help deter employee fraud by seeking prosecution against employ¬ 
ees who commit criminal violations and by publicizing these suc¬ 
cessful prosecutions. 

I should have added at the beginning that we have submitted a 
formal statement for the record and this is an abbreviated oral 
statement for the sake of time. 

Chairman Thompson. Your full statement will be made a part of 
the record. 

Mr. Huse. One of our major efforts in the detection of fraud is 
Operation Clean Slate, which is designed to identify and prosecute 
employees who fraudulently manipulate Social Security Adminis¬ 
tration’s electronic records systems to commit program fraud and 
other crimes. Under Operation Clean Slate, we have a number of 
initiatives designed to identify employees who abuse the Social Se¬ 
curity data to which they have access. Today, I would like to high¬ 
light some of those cases and projects that we have under Oper¬ 
ation Clean Slate. I have asked Special Agent in Charge Ed Ryan 
from our New York Field Division to assist in the discussion of our 
results. 

I will now turn the floor over to Ed and he is going to discuss 
Operation Pinch. 

Mr. Ryan. Good morning, Mr. Chairman and Members of the 
Committee. I will provide you now an overview of Operation Pinch. 

In late 1995, the Office of the Inspector Gcmeral, New York Field 
Division, learned from the Social Security Administration of one 
possible corrupt employee. This fact, coupled with information re¬ 
ceived in 1996 from the Citicorp Fraud Investigation Unit inform¬ 
ing us of a major New York credit card fraud ring led to the initi¬ 
ation of Operation Pinch. 

Operation Pinch investigated a massive credit card fraud con¬ 
spiracy orchestrated by West African crime syndicates. These 
criminals stole thousands of credit cards mailed to legitimate bank 
customers. The credit cards could be activated via a 1-800 tele- 


^The prepared statement of Mr. Huse with charts appears in the Appendix on page 36. 
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phone line using cardholders’ Social Security numbers, dates of 
mrth, and mothers’ maiden names as security prompts. 

In order for this scheme to work effectively, the criminals en¬ 
listed Social Security Administration employees to obtain informa¬ 
tion needed to activate these stolen credit cards. A few corrupt SSA 
employees illegally sold identity information of 20,000 individuals 
whose credit cards were stolen. These West African criminals then 
fraudulently activated the credit cards. 

Citibank, Chase Manhattan Bank, Bank of America, and NOVUS 
provided us additional information concerning stolen credit cards 
and their subsequent fraudulent activation. This credit card theft 
ring resulted in estimated bank losses of approximately $70 mil¬ 
lion. 

I would like to now address specific cases that were part of Oper¬ 
ation Pinch in the New York Field Division. A contact representa¬ 
tive in Brooklyn, New York, obtained 30 Social Security account 
histories a day for a period of 2 years. She provided the Social Se¬ 
curity information to a New York City Department of Social Serv¬ 
ice employee, who also was of West African descent, who then pro¬ 
vided the Social Security information to other West African crimi¬ 
nals who activated these stolen credit cards. 

After being interviewed by Office of the Inspector General Spe¬ 
cial Agents, the contact representative resigned her position with 
SSA and was arrested. She was subsequently sentenced to 5 years 
supervised probation and ordered to pay a $100 fine. 

A claims clerk in Jamaica, New York, with minimal need to ac¬ 
cess the SSA database system conducted 655 record searches dur¬ 
ing a 6-month period. After being interviewed by our special 
agents, the claims clerk admitted to selling 1,000 to 1,500 account 
records for $10 to $20 each to West African co-conspirators. She 
was arrested and later sentenced to 4 years probation and fined 
$2,000. 

A local New York District Attorney obtained a search warrant for 
a private New York residence that resulted in the seizure of nu¬ 
merous Social Security records. A contact representative in the Jer¬ 
sey City, New Jersey, Teleservice Center was identified from the 
information contained in these seized records. The employee admit¬ 
ted to providing 100 Social Security records to a West African co¬ 
conspirator for $15 per record. The employee resigned from her em¬ 
ployment at SSA, was arrested, and later sentenced to 2 years pro¬ 
bation with special conditions.to seek psychological counseling and 
was fined $500. 

Another query of the SSN database identified a clerk-typist at 
the Flatbush District Office located in Brooklyn, New York. During 
our interview, the subject advised that he had been approached by 
the contract security guard at his Social Security District Office to 
sell Social Security record information for $50 to $100 per record. 
Between November 1995 and April 1996, the subject sold Social Se¬ 
curity records to this guard. He advised us that since the guard 
had only paid him $40 a record, he discontinued selling SSA 
records to the contract security guard. He then identified a West 
African co-conspirator as an individual to whom he also sold SSA 
records to for $50 per record during the time period April of 1996 
through the end of July 1996. 
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This SSA employee was immediately terminated from SSA em¬ 
ployment and was arrested for bribery. He was sentenced to 3 
years probation, fined $8,343, ordered to pay restitution in the 
amount of $20,239 to financial institutions. Additionally, the con¬ 
tract security ^ard was barred from the SSA District Office and 
was terminated by the contract security service and also was suc¬ 
cessfully prosecuted. 

Through SSA OIG investigations at the Flatbush District Office, 
a Stay-in-School clerk-typist was identified as accessing SSA 
records and furnishing them also to the office security guard, who 
worked for the West African credit card ring. The clerk-t 3 T>ist was 
terminated from SSA employment, was arrested, and sentenced to 
3 years probation, 200 hours of community service, and fined $25. 

SSA Office of Inspector Generafs Operation Pinch investigations 
resulted in 27 convictions to date. Or the 27 criminal convictions, 
12 were Social Security Administration employees, 3 were contract 
security guards, 12 were co-conspirators. In addition, at this time, 
one co-conspirator is considered a wanted person. The Inspector 
General is continuing to make arrests in similar fraud cases involv¬ 
ing Social Security fraud, including the illegal access and release 
of database information by Social Security employees. Thank you. 
Mr. Huse. Thank you, Ed. 

Now, I would like to discuss additional significant employee 
fraud cases that we have investigated around the United States 
that are similar to Operation Pinch. In Calilornia, an SSA em¬ 
ployee illegally sold and processed Social Security cards. The sub¬ 
ject admitted to selling the Social Security numbers and cards for 
$200 each. The subject pleaded guilty to a felony count of accepting 
a bribe and one felony count of illegally processing and issuing un¬ 
authorized Social Security numbers and cards, and was sentenced 
to serve 3 years of supervised probation, 50 hours community serv¬ 
ice and was terminated from SSA employment. 

In Kansas City, Missouri, in another case, the subject, a Social 
Security employee, had accessed and changed Social Security 
records pertaining to herself and family members, resulting in the 
issuance of unauthorized checks to 10 deceased beneficiaries and 
two living beneficiaries. The subject changed the addresses of these 
beneficiaries to reflect her own address and her friends’. Then the 
subject conspired with another Social Security benefits authorizer 
and had the checks issued to herself, her husband, her son, and her 
friend. The amount of fraudulent checks involved in this particular 
instance totaled $174,312. One subject was ordered to serve 15 
months in prison, 3 years probation and pay SSA restitution of 
$174,321. The other was ordered to serve 5 years probation and 
pay restitution to SSA in the amount of $20,933.10. 

In Chicago, a benefits authorizer at the Great Lakes Program 
Service Center generated “one-check-only” payments to fictitious 
individuals by entering false data into the records of exi.nting bene¬ 
ficiary accounts. These checks were then direct deposited by false 
entries into the personal account of this particular employee. 
Again, the subject plead guilty and was sentenced to 1 year incar¬ 
ceration and ordered to pay SSA $7,200. 

In Florida, a claims representative improperly and maliciously 
changed the Social Security card of an individual, and this is the 
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case alluded to by Senator Thompson, so I will pass over that one. 
That is the virtual murder case. 

In another Florida case, a Tampa, Florida, based company was 
selling confidential government information, including detailed 
earnings queries and Social Security number queries. This inves¬ 
tigation uncovered that this company had suborned a Fort Lauder¬ 
dale Social Security teleservice center representative who accepted 
bribes from that company in order to provide them with the data 
that they required for this business process. For his services, this 
Social Security employee was paid $3,000. Subsequently, that em¬ 
ployee plead guilty'Snd was sentenced. 

Now, Mr. Ryan will describe one more case in New Jersey that 
is significant in this respect. 

Mr. Ryan. Thank you, Mr. Huse. 

Another significant employee fraud case involved a Social Secu¬ 
rity Administration benefits authorizer. In March of 1995, the So¬ 
cial Security Administration regional security staff in New York re¬ 
ceived a referral from a small New Jersey bank regarding sus¬ 
picious activity in a customer’s account. We, in coordination with 
the Administration’s Northeastern Program Service Center integ¬ 
rity staff, determined that an SSA benefits authorizer in New Jer¬ 
sey made a number of SSA electronic transfers in the amount of 
$2,999 each. 

The investigation concluded the benefits authorizer fraudulently 
established SSA payments not onl 5 H:o himself but others and then 
diverted approximately $328,731 from March 1994 through March 
1995 by electronically depositing the fraudulent funds into these 
accounts. The co-conspirators were not SSA employees and they 
were not entitled to receive these funds. 

The benefits authorizer resigned his position at SSA, was ar¬ 
rested by OIG on charges involving wire fraud and money launder¬ 
ing. He was later sentenced to 4 months imprisonment, 4 months 
home confinement, 3 years supervised release, restitution of 
$50,000, and a special assessment fee of $50. 

I would like now to turn it back over to Mr. Huse. 

Mr. Huse. To conclude this, Mr. Chairman, employee fraud cases 
represent the smallest number of cases we investigate in the In¬ 
spector General’s Office. However, we have made employee fraud 
our primary mission. We believe, along with the Commissioner and 
the executives of the Social Security Administration, that employee 
fraud is a serious matter that must be dealt with effectively. 

We believe that successful prosecutions are a key deterrent 
against employee fraud. We publish these cases throughout the 
agency in cooperation with Social Security Administration high¬ 
lighting these effective prosecutions. In this way, prosecutions are 
made public and all Social Security Administration employees are 
made aware of the fact that Social Security Administration has a 
zero tolerance for fraud. We are dedicated to eliminating employee 
fraud and misconduct at SSA and I wish to thank the Committee 
again for focusing on this important and serious issue. 

I would be pleased, along with my staff, to answer any questions 
you may have at this time. 

Chairman Thompson. Thank you very much, gentlemen, for your 
information. In many respects, perhaps we are calling you out of 
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sequence because you show what can happen on the tail end as a 
result of your investigation and bringing people to justice with re¬ 
gard to some of these things, but you can help us deal with what 
causes this in terms of weaknesses in our system and what we 
might do to rectify it. Obviously, you are going to have people in 
all branches of government, as well as private life, who, from time 
to time, are going to violate the law and figure out ways to game 
the system. 

I guess what I come away with initially is how easy it seems to 
be. You have rather low-level employees who can enter into con¬ 
spiracies with outside people in order to furnish them information, 
who can go into the computers and pay themselves benefits if they 
want to. You have 12 here. 

I think it is also instructive as to how these cases were made. 
It seems like they were not made by managers within the Social 
Security Administration. They were not detected through whatever 
procedures they might have to detect such things. But, rather, I 
think they started out with bank investigators who noticed some 
suspicious circumstances, did they not? How did that come about? 

Mr. Ryan. That is correct. In one case, we did have information 
. from Social Security Administration from doing audit trails of one 
possible corrupt employee. After about another 3 months is when 
we began to get the referrals from the credit card financial institu¬ 
tions and it turned out to be the same employee originally referred 
to us by the Social Security Administration. 

Chairman THOMPSON. So is that what started the entire Oper¬ 
ation Pinch investigation? Is that how that came about? 

Mr. Ryan. Investigation of the one, coupled with the 1996 up¬ 
dated information from the financial credit card issuers. 

Chairman- Thompson. So I believe the bank investigators noticed 
an increase in stolen credit card activity and reported it through 
the Secret Service to the Social Security Administration IG, is that 
correct? 

Mr. Huse. That is correct. The case had two prongs, if you will, 
in terms of its origin. We received early information that there was 
some employee activity that required investigation, and then cou¬ 
pling that with a later notification by the financial community of 
credit card activations that they suspected had to come from some 
information that would have come from our databases caused us to 
put the two together and then focus on the crime. 

Chairman Thompson. Do we know how many files were in¬ 
volved, how many pieces of information or how many citizens’ 
records were violated? You are talking about 27 convictions includ¬ 
ing 12 SSA employees, do you have any damage assessment from 
that standpoint? 

Mr. Ryan. From the numbcir of credit cards and the financial 
losses estimated by the credit card companies themselves, it would 
probably be approximately 20,000 records. 

Chairman Thompson. TVenty-thousand records? 

Mr. Huse. That is 20,000 records that we, from our interviews 
of these suspects, have determined as well as we can that they 
passed over to these conspirators. We cannot really link that ex¬ 
actly to the number of credit cards that were activated because in 
addition to suborning our employees, these sophisticated conspir- 
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acies also tap other databases, to include those of the very financial 
institutions that were defrauded here. So it is a mix there. There 
is not a direct correlation. We know that 20,000 records were 
passed to these people, but how many of them were in these cards, 
the financial community is circumspect about providing us exactly 
with that information for obvious reasons. That is bad advertising 
for them. 

Chairman THOMPSON. Right. So you know at least 20,000 records 
were violated, and we do not know how many other records from 
other sources that this conspiracy might have gotten into. And, of 
course, you know, the first thing that occurs to you is that there 
are lots of other potential conspiracies out there and the question 
is, how do we know? There are 20,000 records by a handful of low- 
level employees, typists in one case, who are being, in effect, used 
by an outside conspiracy. 

Do you have any indication that there are other groups, sophisti¬ 
cated or otherwise, out there who are making attempts, that you 
do not have cases yet, and I will not ask you the details of your 
investigation, of course, but do you have other indications of at¬ 
tempted penetration in that regard? 

Mr. Huse. What we have done, and that is a very good question, 
we are a relatively new agency because we came into being with 
Social Security's independence. In the last several years with con¬ 
siderable resources that we have been given by the agency, we 
have been able to develop a capacity to deal with this, what I 
would call intelligence information about emerging financial 
crimes, conspiracies, and you are absolutely right, there are many. 

We have a Strategic Enforcement Division that does nothing but 
focus on these types of crimes. We have a new memorandum of un¬ 
derstanding with the agency that gives us tremendous access to the 
agency's databases in order to monitor any kind of what we believe 
is an emerging investigative lead, so that with rapid deployment of 
our investigative resources, we can get on something like this as 
soon as we get the tip. 

We have a strong relationship now with the credit card and fi¬ 
nancial community so that we exchange information about emerg¬ 
ing trends and patterns. All of this has come to pass as a result 
of Operation Pinch and the lessons learned. 

Chairman Thompson. You are addressing your capabilities, and 
that is good information. My question has to do with what you are 
doing with those capabilities. Is it too early to tell yet, or are there 
other indications of attempted penetrations by other groups? 

Mr. Huse. We can tell that on the cases that come to our atten¬ 
tion that we are able to rapidly get out there—and we have a num¬ 
ber of employee cases, but the number is extremely small in terms 
of the overall number of cases we have in our inventory. I would 
say that, although there are these attempts, they are not in signifi¬ 
cant numbers at this time. 

Chairman Thompson. All right. In our past hearings, experts 
have made the point that good security practices are as much a 
matter of management practices as they are a technical problem. 
You apparently have a pretty good technical system in place for 
tracking suspicious computer activity, so I am puzzled why these 
audit trail reports never alerted the relevant managers to sus- 
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picious activities in the Operation Pinch cases. Would not reports 
have shown suspicious spikes in computer browsing by the employ¬ 
ees? Are managers pa 3 dng enough attention to the audit reports 
that they are getting? 

First of all, you might describe these audit trails, in the first 
place, and then second, should they not have alerted managers 
more readily in these cases? 

Mr. Huse. You are entirely correct that that is on the front end 
of these cases. We have done—that is outside of the investigative 
arena, that is more on our audit side, and if you will permit me, 
I would like to call up our Assistant Inspector General for Audit, 
Pam Gardiner, who will speak to some of our audit work in this 

respect, and then I am sure the agency also has some- 

Chairman Thompson. Welcome. Would you state your name for 
the record, please? 

Ms. Gardiner. Yes. Good morning. I am Pamela Gardiner. As far 
as the audit trail system goes, it captures so much data that it is 
primarily used by the Social Security Administration after the fact, 
when an individual is identified as having committed a crime. SSA 
can go back and review every transaction that has occurred with 
that personr. 

In our audits, we have made a number of recommendations 
through the years. The agency issues an annual accountability re¬ 
port, and in these reports we have identified separation of duties, 
in particular, as a significant weakness. The agency has problems 
with separation of duties because of downsizing and they have to 
allow employees to do more than they used to in the past because 
they have fewer people to process more transactions. 

So our main emphasis has been on compensating controls that 
they should implement, and the audit trail system is one. It could 
be improved. When certain high-risk transactions occur, an em¬ 
ployee puts in his/her password, but then we suggest that a super¬ 
visor also put in a password before that transaction can actually 
take place and be implemented. We call that a 2-PIN process. 

We also suggest that employees have the most limited amount of 
access to systems as possible. It is a concept called least privilege, 
where an employee should only have access to those systems that 
they absolutely must have access to in order to perform certain 
transactions. 

And then finally, as far as the audit trail system, what-we are 
going to recommend is that, right now, the system does not have 
what you would consider to be measurements or matrices that 
would identify things like employees should process so many trans¬ 
actions an hour or certain types of transactions, and when those 
numbers go way out of whack or beyond what is normal, a flag 

would appear and that way they could really focus- 

Chairman Thompson. The system that you have now—does not 
each employee have a unique PIN number? 

Ms. Gardiner. Yes, they do. 

Chairman Thompson. And your computers generate audit trails 
that can show where employees have looked into databases of per¬ 
sonal information? Do you, not have that availability and capabil¬ 
ity? 

Ms. Gardiner. That is correct. Yes. 
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Chairman Thompson. That being the case, you are saying, basi¬ 
cally, that the audit trails are useful in solving crimes but not 
much in preventing crimes. Is it because you do not have that in¬ 
formation, that it is not being kept the way it should be, or that 
it is not being used by managers the way perhaps they should be 
using them on the front end to analyze and see who is looking at 
what? That would not be total prevention, because they have al¬ 
ready looked, but certainly it may be before things get out of hand. 
Ms. Gardiner, Right. 

Chairman Thompson. What is the problem there? 

Ms. Gardiner. Several. One is that there is so much information. 
There are so many employees and so many transactions on a daily 
basis- 

Chairman Thompson. It is so voluminous that managers just are 
overwhelmed with the load of information and they wind up maybe 
not using it as much as they should? 

Ms. Gardiner. Well, they try and do samples and look at certain 
things, but again, it is an awful lot of information. Also, managers 
do have other high-priority work and so they cannot always get 
these reviews in and do everything else. So, there is a little bit of 
inconsistency in how often they do the reviews. 

Chairman Thompson. Mr. Huse, did you have a comment on 
this? 

Mr. Huse. I was going to say that there are also some planned 
enhancements that we believe are going to be very effective that 
the agency has invested in that are pending, that will help in this 
audit process, but those are not on-line yet. They call it CHIRP. It 
is an acronym for basically this kind of review of these audit trails. 

Chairman Thompson. You are talking about the problem being 
a continuing one of employees selling information. Did you mention 
that the New York IG Office just arrested several more employees 
in connection with another fraud ring? Is that true? 

Mr. Ryan. Just recently? 

Mr. Huse. Not recently, but we have these cases occur infre¬ 
quently, and that is very important, that this is not an epidemic 
issue. This is an issue that I think we react to very quickly. These 
recommendations that we have made are before the agency and the 
agency is probably best suited to answer exactly how they work 
with those. 

Chairman Thompson. Are you making recommendations such as 
additional training and things of that nature for Social Security 
Administration employees in terms of using the data that is avail¬ 
able to them? 

Mr. Huse. We have made those recommendations in a general 
sense in the work on our audit site. In addition to that, we partici¬ 
pate with the agency in a national anti-fraud effort, and in that, 
the training and the raising of the profile of security in terms of 
our employee awareness is a major imperative inside Social Secu¬ 
rity Administration. 

Chairman Thompson. There is at least one criminal statute 
against improper use of Federal Government computer data. Do 
you think that the existing laws are satisfactory or sufficient to 
deal with the problems that you are running into? 
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Mr. Huse. I am glad you raised that, Mr. Chairman, because I 
think we have a good Federal law but it could be a little bit better. 
One of the problems we face, as you can see from our statement 
on the record, is that a lot of times, the actual sentencing for these 
particular crimes is not what it could be. 

Chairman Thompson, Yes. I noticed that out of all that, I do not 
think there was 1 day in jail. 

Mr. Huse. For many people, there is not. 

Chairman THOMPSON. That first one, you mentioned a $100 fine? 
Mr. Ryan. A $100 fine. 

Chairman Thompson. A $100 fine and probation. Well, that will 
put the fear of the Lord into them. [Laughter.] 

Mr. Huse. Right now, in the Federal computer crime statute, 18 
U.S.C. 1030, there is a monetary threshold that has to be met for 
the gravamen of that offense to attach for potential prosecution. 
We often cannot get there. It is very difficult sometimes for us to 
take what has happened- 

Chairman Thompson. Because you catch them before they reach 
the amount sometimes? 

Mr. Huse. Right, and that prevents sometimes the interest that 
could be there, if there were a different standard, if we could 
change that statute to make the access itself or the theft of the in¬ 
formation the graviment of the offense. 

Chairman Thompson. Some question has been raised, too, as to 
whether or not it sufficiently covers the employees from accessing 
data within their own department. 

Mr. Huse. That is correct. 

Chairman Thompson. I think most of the statutes have to do 
with outsiders coming in. 

Mr. Huse. Correct. 

Chairman Thompson. Perhaps that needs to be looked at and 
tightened up some. 

Mr. Huse. I am not certain of the bill’s number, but I know Sen¬ 
ator Kyi’s bill does put that bite in it in terms of identity fraud 
theft, for that t 3 q)e of data, and that would be a significant help for 
us itself. 

Chairman Thompson. We have had coverage there for disclosure 
of information. I think we are just now getting into the damage 

that can be done just- 

Mr. Huse. With the data itself. 

Chairman Thompson [continuing]. By accessing it. Of course, we 
just passed as part of the IRS bill a criminal provision for willfully 
inspecting tax returns, but that is limited to tax returns. 

Mr. Huse. That is the browsing aspect. 

Chairman Thompson. Yes. That is^ tlm browsing aspect. So we 
are gradually getting there, I think, as we see what all is going on 
out there and what is being done with these records. You deal with 
tax matters, too, but you deal with a lot more matters than that. 

We have three panels today, so I am not going to keep you any 
longer, but obviously, you have done some excellent work here. 
Keep it up, and thank you for coming today. I appreciate it. 

Mr. Huse. Thank you. 

Mr. Ryan. Thank you. 
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Chairman Thompson. We will proceed to our second panel, Gene 
Dodaro, Assistant Comptroller General, Accounting and Informa¬ 
tion Management Division, U.S. General Accounting Office; Robert 
Dacey, Director for Consolidated Audits and Computer Security 
Issues, Accounting and Information Management Division, U.S. 
General Accounting Office; and Keith Rhodes, Technical Director 
for Computers and Telecommunications, Accounting and Informa¬ 
tion Management Division, U.S. General Accounting Office. What 
do you gentlemen do when people ask you what you do for a living? 
Certainly, you do not take the full 5 minutes to go through your 
title. [Laughter.] 

Mr. Dodaro. Basically, Senator, I tell them we get to audit the 
IRS. 

Chairman Thompson. All right. People understand that, and 
they probably mve you a standing ovation. [Laughter.] 

Thank you for being here. Is there any preliminary statement 
that you would like to make? 

STATEMENT OF GENE L. DODARO,» ASSISTANT COMPTROLLER 
GENERAL, ACCOUNTING AND INFORMATION MANAGEMENT 
DIVISION, U.S. GENERAL ACCOUNTING OFFICE, ACCOM- 
PANIED BY ROBERT F. DACEY, DIRECTOR FOR CONSOLI¬ 
DATED AUDITS AND COMPUTER SECURITY ISSUES, AC¬ 
COUNTING AND INFORMATION MANAGEMENT DIVISION, U.S. 
GENERAL ACCOUNTING OFFICE, AND KEITH RHODES, TECH¬ 
NICAL DIRECTOR FOR COMPUTERS AND TELECOMMUNI¬ 
CATIONS, ACCOUNTING AND INFORMATION MANAGEMENT 
DIVISION, U.S. GENERAL ACCOUNTING OFFICE 

Mr. Dodaro. Yes. Good morning, Mr. Chairman. We are very 
pleased to participate in the series of hearings being held on. infor¬ 
mation security. The attention you are focusing on this important 
subject is providing an important stimulus for needed improve¬ 
ments.^ 

Since GAO identified information security as a government wide 
high-risk area in early 1997, several encouraging developments 
have transpired. First, agencies are beginning to pay more atten¬ 
tion and respond more favorably to recommendations by auditors. 
We have worked to build into the Chief Financial Officer Act an¬ 
nual audit requirements a detailed look at computer controls, and 
that has helped provide incentives because you have an annual re¬ 
port card every year. 

Second, based on our recommendation, 0MB and the Federal 
Chief Information Officers Council have designated information se¬ 
curity a priority area for the government. And last May, as you 
know, the President issued the directive to improve the critical in¬ 
frastructures of the Nation, including the Federal Government’s in¬ 
frastructure. 

Now, all these activities are stimulating increased attention, but 
there is a great deal more that needs to be done to develop and 
maintain an effective security program for the Federal Govern¬ 
ment. As you mentioned in your opening statement, we are releas¬ 
ing a report today done at the Committee’s request that details the 


^The prepared statement of Mr. Dodaro appears in the Appendix on page 54. 
2 GAO report submitted by Mr. Dodaro appears in the Appendix on page 85. 



16 


serious weaknesses in the 24 major departments and agencies of 
our Federal Government. Those departments and agencies cover 
virtually all the revenue collection activity of the government as 
well as virtually all the expenditures that are made on behalf of 
our National Government. 

These pervasive weaknesses include poor access controls over 
sensitive data, incomplete and untested plans to require continuity 
of services in the event of disruptions, and inadequate organiza¬ 
tion-wide planning and management of security programs. Until 
these areas and specific weaknesses are rectified, critical Federal 
operations and assets are really put at risk. As has been pointed 
out today, the Federal Government’s exposures to individuals and 
groups inappropriately accessing sensitive data, or modifying com¬ 
puter programs for personal gain or sabotage remains an extreme 
risk for the Federal Government. 

Now, two agencies that you are focusing in on today, VA and the 
Social Security Administration, illustrate the type of risk that can 
occur and also what actions are required to fix these problems. Our 
audit at the VA, for example, uncovered the fact that thousands ol 
authorized users at the VA had much more access to read and 
change files than was necessary. Additionally, user identifications 
and passwords controls were weak. Passwords were often shared 
among employees or easily guessed, and people who had been ter¬ 
minated by the VA or transferred to another department were not 
removed promptly from authorized lists of users. 

This greatly increased the risk of several things occurring. Pay¬ 
ments for payroll and other financial transactions could have been 
altered. Also, it increased the risk that sensitive medical records, 
including diagnoses for illness as well as treatment that had been 
received by veterans, could have been viewed or disclosed. Simi¬ 
larly, information on the veterans’ home mortgage program, such 
as default rates and delinquencies, could have been disclosed or 
were readily available for people to view. 

Our penetration test at Veterans Affairs also disclosed that we 
were able to easily gain access to its mainframe and network com¬ 
puters, and with this access, we could have modified information 
in the loan guarantee program, which is a multi-billion dollar loan 
portfolio. We also could have had access and modified, deleted, or 
destroyed information on VA’s sensitive programs in veterans’ com¬ 
pensation, pension, life insurance programs, as well. 

These weaknesses were further exacerbated because VA did not 
have an active monitoring pro^am to review trends in access infor¬ 
mation. This is similar to the issue that you were asking Mr. Huse 
earlier, who is monitoring the activity of authorized users or others 
entering into the systems, and we found that to be a weakness at 
VA. 

Similarly, at SSA, weaknesses were noted by auditors there, as 
well. User identifications and passwords controls, again, were very 
weak and easily guessed. Additionally, penetration tests at VA al¬ 
lowed auditors to gain access to systems that would have enabled 
them to view sensitive data and destroy that data, and add or de¬ 
lete users. This puts information such as sensitive information on 
Social Security numbers, earnings statements, and benefit pay¬ 
ments at risk. It also creates the opportunity for people to create 
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fictitious beneficiaries, as well as basically steal some of the infor¬ 
mation and sell it for personal gain. 

Now, both at VA and the Social Security Administration, numer¬ 
ous recommendations were made to fix the individual weaknesses 
that have been identified. Also recommendations were made in 
both agencies to put in place a comprehensive security manage¬ 
ment pr(^am. As you recall, in May, the work that we had done 
for this Committee on the best practices of leading organizations 
that have good information security programs led to the publication 
of this report. In this report, we outline the conclusions of the les¬ 
sons learned from people who do security well. That is you need a 
central focal point to focus on this activity, you have to assess risk, 
you have to monitor, and you have to raise awareness of the em¬ 
ployees, as you pointed out in your earlier questioning of the wit¬ 
nesses, and you need to monitor and evaluate and test the systems 
in place. This type of comprehensive security program needs to be 
put in place in every organization in the Federal Government. 
Chairman Thompson. When did that come out? 

Mr. Dodaro. That came out in May, Senator. We had an expo¬ 
sure draft issued earlier. This guide, in addition to being endorsed 
by this Committee, has been endorsed by the Federal Chief Infor¬ 
mation Officer Council. We are consistently working with the CIOs 
and the Inspectors General and others, to put this t 5 q)e of process 
in place. 

In addition, in the report we are releasing today, we have rec¬ 
ommended that 0MB work with the National Security Council to 
have a government wide, comprehensive strategy, emerge from 
their efforts. V/e know that plans are underway. We have not yet 
been able to review those plans. They have not been made avail¬ 
able. We will plan to review them and apprise the Committee of 
our conclusions about whether or not this comprehensive strategy 
has emerged. Central management is needed in addition to the in¬ 
dividual agencies fixing their problems to follow up, deal with gov¬ 
ernment wide cross-cutting issues, and really monitor whether or 
not the agencies are making progress. 

Chairman THOMPSON. Through 0MB? 

Mr. Dodaro. Yes. 0MB has the statutory responsibilities, but 
also the National Security Council now, under the President’s di¬ 
rective that was issued in May, is launching a major initiative that 
involves the private sector. State and local governments, but also 
the Federal Government. One of the goals of that directive is to 
make the Federal Government the ‘'best practices” example of in¬ 
formation security to show others in the private sector, and there 
is a lot that needs to be done to be able to achieve that goal. 

Whole information security is a continuing concern, there is real¬ 
ly one caveat I want to emphasize here this morning. Over the next 
18 months, as organizations ^apple with the year 2000 computer 
conversion, information security needs to really be given height¬ 
ened awareness. At no time in our history are so many computer 
systems going to be modified at the same time, thus increasing the 
risk that security could take a back seat. The year 2000 computer 
conversion is the most dramatic example yet of the dependence 
that we have as a Nation on our computer systems and how vul¬ 
nerable we are to potential disruption. So that really needs to be 
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given a lot of attention. We have emphasized this to 0MB and the 
agencies and special focus is needed over this next couple-of-years 
period. 

But such challenges in information security are not going to end 
with the new millennium. They are going to continue in the future. 
There needs to be long-term programs put in place. We at GAO are 
committed to work with this Committee and with the Executive 
Branch to make sure that happens to reduce our vulnerability and 
risk. 

That concludes my opening statement, Mr. Chairman. My col¬ 
leagues and I would be happy to answer any questions. 

Chairman Thompson. You are talking about the Y2K problem. It 
certainly fits right together with the subject we are dealing with 
today, as you point out, and my understanding is we are having to 
bring in thousands of people from other countries to address our 
Y2K problem. We just do not have the manpower, and that in and 
of itself, of course, raises serious security concerns because we do 
not know if we have been the victim of sabotage, for example, until 
sometime after the fact. It is just an additional avenue that those 
who would do us harm are going to have, in addition to all the oth¬ 
ers that we have had, is that correct? 

Mr. Dodaro. That is correct. Senator. I will ask Keith to elabo¬ 
rate in a minute, but there are two basic risks, one that you point 
out, in that fixing the software problems there could be shortcuts 
that could be taken in order to get the work done on time. As you 
well know and we have reported, many Federal agencies are way 
behind in fixing their problems. Some of the organizations in the 
private sector are behind, as well. It is an international problem 
globally. 

So a lot of people are under a lot of pressure, and as you have 
heard, one of the reasons we are in this information security di¬ 
lemma of being very vulnerable is that information security has al¬ 
ways taken a back seat to getting the systems developed and put 
on line quickly, and there is tremendous pressure now. 

The other big risk is that if something occurs during that period 
of time, one would not know or could have difficulty distinguishing 
between a year 2000 computer failure and whether or not some¬ 
body is intruding into your system and tr 3 dng to do malicious harm 
to that system. But Keith has been focusing on the year 2000 prob¬ 
lem and has a very good perspective on that. 

Chairman Thompson. Will you elaborate on that for us? 

Mr. Rhodes. Just to expand on what Mr. Dodaro has already 
said, by its very nature, since everyone is late, everyone has to 
focus on what is mission critical. Now, by that very definition, you 
are exposing yourself to letting everyone know what the crown jew¬ 
els are. 

Now I am turning it over to a contractor which I have brought 
in at the 11th hour because anyone who got started early already 
sucked up the resources necessary. That contractor will then sub¬ 
contract and subcontract and subcontract, or I will just take my 
code and give it to—one of the big software houses in the world 
right now is India. A little while ago, they set off a nuclear weapon 
that upset a lot of people. They are very good coders. I do not know 
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that somebody in a foreign country can necessarily get the security 
clearance that I would want them to have. ", 

Recently, I read about George Soros, the entrepreneur, wanting 
to bring the Bulgarians over from the Bulgarian Virus Institute be¬ 
cause they are very good code writers and have them work on our 
code. When I was working in national security prior to coming to 
the General Accounting lot of my time was spent fighting 

the Bulgarians that are now going to come in and fix our code. 

From my perspective, not necessarily being labeled an aging Cold 
Warrior or something, I do not necessarily like to bring my former 
enemies in to fix my code. But people are in a position of being des¬ 
perate and now they open the flood gates and say, well, I abso¬ 
lutely have to fix my system. As we see, as your hearings point out, 
security is not a top priority for a lot of organizations. 

Chairman Thompson. It is not now, and it is going to be even 
less, in and of itself, as they face this crisis. 

Mr. Rhodes. Absolutely. 

Chairman Thompson. If they are going to be manufacturing 
automobiles or widgets or whatever, that is going to be their prime 
concern. 

Mr. Rhodes. Right, and in the year 2000, not just from a govern¬ 
ment perspective but from the entire infrastructure perspective, 
you are talking about power, you are talking about water, you are 
talking about telecommunications, you are talking about emergency 
services, you are talking about traffic lights, you are talking about 
elevators, and you are talking about your business codes, so you 
are having to open up everything. 

The year 2000, like security, is a horizontal issue. It cuts com¬ 
pletely across the organization and touches everything that you, by 
your own definition as the chief executive officer, declare to be mis¬ 
sion critical. Now you have given your opponent, so to speak, all 
of the information she or he needs to figure out where your heart 

is. 

Chairman Thompson. As you say, there are three completely dif¬ 
ferent, in a way interrelated but different, avenues into our most 
critical systems: Transportation, communication, and finance. 

Mr. Rhodes. Right. 

Chairman Thompson. That is a very troubling way of looking at 

it. People are now focusing on the Y2K problem more and more. 
Vffiat you are pointing out here in these hearings is that we have 
this other existing problem. You, obviously, have been able to walk 
into the VA and get whatever you want. I mean, any amateur— 
we had a bunch of kids—I call them kids, I guess I am old enough 
to call them that—very young men come in in one of our prior 
hearings. They said, we can shut this place down if you give us a 
few hours and what not. 

You, obviously, especially with the VA, were able to get access 
to any information that you wanted to and you could wreak havoc 
with that, and to a lesser extent with the Social Security Adminis¬ 
tration. We picked those two agencies, for example, because these 
were agencies that you had dealt with and had made an assess¬ 
ment of in recent times. We were not just singling them out, but 
that you happened to have made assessments of those two in re¬ 
cent times, and it is pretty clear. 
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We can talk about details, but anyone with any sophistication 
can get into pretty much whatever they want to. It is a continuing 
disaster waiting to happen. It is nothing that cannot be handled if 
we get on the job, but that is the question. Are we on the job? For 
example, in the Veterans Administration, this problem has been 
pointed out and around for some time now. 

Give us some assessment agency-wide or government wide. How 
long have you been dealing with this? Obviously, we have, hope¬ 
fully, heightened the level of attention a bit with the hearings that 
we have had, but how long have you been on the case? How long 
have these agencies been told, at least, that they have got major 
problems? I will stop there. 

Mr. Dodaro. It varies by individual agency. For some, there 
have been reports for many years, as was pointed out with VA. 
What we did at GAO is we put computer security as a high risk 
across the government in early 1997. We also put year 2000 com¬ 
puter conversion on a government wide high-risk list at that time, 
as well. 

Chairman Thompson. And when was that? 

Mr. Dodaro. That was in February 1997, and we had issued re¬ 
ports earlier than that. A lot of this attention we have been able 
to generate actually through the requirements in the Chief Finan¬ 
cial Officers Act, which is another management statute passed by 
this Committee. For those annual financial audits now, we examine 
and have developed methodologies to look at, computer controls 
over those financial systems and sometimes that leads us into non- 
financial systems, as well. While some of those audits date back to 
the early 1990’s, in 1996, all 24 departments and agencies were re¬ 
quired to now have an annual audit. 

That annual audit requirement means getting a report card 
every year, as opposed to doing an audit in one part of an agency 
1 year and going back 3 years later. That annual requirement is 
really putting more pressure on the agencies to make the changes 
and I think it is having an effect. Awareness is increasing due to 
these hearings this Committee has had and other pressures that 
we are trying to generate through these audit requirements. Agen¬ 
cies are beginning to take action. 

Chairman Thompson. GPRA requirements, also, hopefully, will 
help along those lines. 

Mr. Dodaro. I agree. Senator. This focuses attention on perform¬ 
ance as well as accountability, which is basically the heart of those 
statutes. We are starting to see more awareness, more responsive¬ 
ness to recommendations, but it has to be more than a reactive pos¬ 
ture on the part of the agencies. They have to take this comprehen¬ 
sive, proactive look at security, make it a top management priority, 
and make it part of the fabric of managing the agency. 

Chairman Thompson. But they are not going to do that until 
they are told to do that, and the people to tell them to do that is 
the administration, and the arm of the administration is the 0MB. 
Now, what has happened since this Presidential directive has come 
down? ^^at specific action has been taken from a government wide 
standpoint since the Presidential directive came down? 
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Mr. Dodaro. I will ask Mr. Dacey to elaborate, but there are 
some plans that have been put in place and they have some goals, 
but it has not evolved very far. 

Mr. Dacey. The PDD63, as it is called, really set in motion some 
organizations to deal with the issue. There was a National Coordi¬ 
nator for Critical Infrastructure Protection that was created, in¬ 
cluding—he is also chairing another committee which is made up 
of agency representatives in terms of dealing with their critical in¬ 
frastructure problems, including computer security. There is also 
another goup that was formed in the Department of Commerce, 
the Critical Infrastructure Assurance Office, as well as a depart¬ 
ment within the FBI on investigating some of these issues. 

Thus far, not a whole lot has been done in terms„of getting well 
down the road. Some initial actions have been taken. In response 
to our report, the 0MB did tell us that, in fact, they are coordinat¬ 
ing with this group to come up with this combined strategy that 
Mr. Dodaro referred to earlier, but as he said, we have not seen 
that plan so cannot really comment on it at this time. 

Mr. Dodaro. Mr. Chairman, in September 1996 we issued a re¬ 
port calling for 0MB to take a more aggressive posture in this com¬ 
puter security area, right before we put it on the high-risk list. 
0MB has taken some action along with the Chief Information Offi¬ 
cer Council, but we reiterate in our report being released today 
that there has to be more action on the part of the central manage¬ 
ment agencies to make sure that action is taken across the board 
in the government. 

Now, 0MB believes that this is an important issue, but also be¬ 
lieves that the responsibilities lie at the agency level. We agree 
with that, but we are also sa 3 dng there needs to be more action at 
the central management agency. You need both. It is not one or the 
other situation. 

Chairman Thompson. Well, it is obvious to me. I am not going 
to ask you to pass judgment on it further, but the 0MB has not 
responded to this the way that they should have. I mean, they 
clearly do not see it, apparently, as being that big of a problem. 
The President issues a directive and gets some headlines out of 
that, and then when you ask the question, what has been done pur¬ 
suant to that, well, they have had a study group and a commission 
and some people have met and we are on the case. 

There is not one tangible thing that I can see that has been done, 
and you have been onto them since 1996 now, not one thing from 
a government wide standpoint has been done to highlight this 
problem and to instruct people as to specific things that are ex¬ 
pected out of them in these agencies. I might addf that it seems 
mighty similar to the Y2K problem. Until recently, I mean. Con¬ 
gress has practically had to drag them kicking and screaming into 
addressing that, and now they have got Mr. Koskinen over there 
with a handful of people and he is apparently going to be assessed 
the responsibility for transforming the government overnight, and 
that is not going to be done, either. 

So you have a couple of disasters there waiting to happen, but 
it might be on somebody else’s watch, but it is not good govern¬ 
ment. It is not right. You need to keep doing what you are doing 
and highlighting these problems and pressing them, as I assure 
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you we will, to take their responsibilities. We get so caught up in 
the day-to-day that we are not really sufficiently addressing the 
problems. I would not even call them longer-term problems. They 
are going to be here before you know it. 

I have been amazed. I mean, I am glad that we can haye this 
public hearing. We are just talking about what we can disclose in 
public. There is a lot of information here we cannot disclose in pub¬ 
lic. We are on borrowed time. We have been told by the FBI Direc¬ 
tor in public session that we are in for a long drawn-out battle as 
far as terrorism is concerned. It is amazing that we have gotten by 
as well as we have in terms of some of these problems, and I guess 
we are going to have to have a disaster to get anybod/s attention, 
but let us hope not. 

I do not know how much detail we need to get into as to what 
you have been able to do. I mean, access seems to be fairly com¬ 
plete. We talked about the technical problem versus the manage¬ 
ment problem, or insufficiency of resources as to where to assess 
the responsibility for poor information security. As I understand it, 
the Social Security Administration has a security management pro¬ 
gram that does not seem to be working very well, and the Veterans 
Administration has no security management program at all, is that 
correct? 

Mr. Dodaro. There are issues with both of the organization-wide 
plans. I will let Bob elaborate on both of those. The biggest problem 
in the Social Security Administration, as you heard this morning, 
was the unrestricted access by the employees in a large organiza¬ 
tion like that. There are dimensions of both at VA. Problems with 
broad access of employees within VA as well as vulnerabilities to 
outside intrusion, but I will let Bob elaborate on those. 

Chairman Thompson. While you are on that point, either you or 
him, what do you recommend with regard to that? Clearly, a large 
number of employees have got to have access to a lot of informa¬ 
tion. 

Mr. Dodaro. They have much more access than they need. One 
of the things that we found is that people who had left the agency 
months ago were still on the rolls as authorized users and could 
have logged into the system. So as soon as somebody leaves the 
agency, it is a very simple technique to remove them from lists of 
authorized users. 

Second, Senator, we recommend that they periodically review 
how much authority people really need. A lot of times they are just 
given broad access without any periodic reviews. People change 
jobs. They change responsibility. So a management focus needs to 
be put in place, and so we have had a number of recommendations. 
The auditors at Social Security have made those recommendations, 
as well, and they have detailed dozens of specific recommendations 
to address those issues. The solutions are well known. It is the 
management commitment and the follow-through that need to be 
put into place. 

Chairman Thompson. That is the point, is it not? 

Mr. Dodaro. Yes. 

Chairman Thompson. Mr. Dacey, did you want to comment on 
the VA part? 
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Mr. Dacey. In terms of the VA, they have some controls there, 
but overall, they do not have a comprehensive program for security 
management, and as a result, these kinds of things that we found 
in the audit are not identified by management and fixed. 

Chairman Thompson. Do we know of any other agencies that do 
not have a comprehensive security management program? 

Mr. Dacey. We found in doing our work, where that area was re¬ 
viewed, that there were significant weaknesses in every agenc/s 
computer security management program. 

Chairman Thompson. That does not really answer my question. 
My understanding was that there was no management program as 
such, no security management program as such with regard to the 
VA. 

Mr. Dacey. They do not have an overall program. There are 
some pieces that may be better controlled than others, but ovt rail, 
they do not have a strategy or program to make sure all the pieces 
fit together in an integrated fashion. 

Chairman Thompson. How many do you know? I do not know if 
you have assessed it all or not, but are there other agencies in that 
same situation, other than the VA? 

Mr. Dacey. There are other agencies that do have similar prob¬ 
lems to VA’s. 

Chairman Thompson. No overall comprehensive program? 

Mr. Dacey. That is correct. 

Chairman THOMPSON. They have bits and pieces, but no program 
as such? 

Mr. Dacey. That is correct. SSA is one agency that does have an 
active program. It just did not cover all the aspects or deal with 
some of the minor issues. 

Chairman Thompson. Do you know how many other agencies? 
Could you give us some estimate? 

Mr. Dodaro. Senator, in our report, we talk about the need for 
entity-wide security program planning and management. We found 
in the audits, where there are 17 of the 24 agencies that this as¬ 
pect was reviewed, all had deficiencies in their programs. So while 
some have more programs than others, of the 17 of the 24 where 
this was reviewed, all 17 had some deficiencies in their organiza¬ 
tion-wide planning and management activity. 

Chairman THOMPSON. I am trying to get into a quantitative dif¬ 
ference and maybe it merges so much you cannot make the distinc¬ 
tions I am trying to make. It seems to me to be a different situa¬ 
tion to have a deficiency in your program than not having a pro¬ 
gram. 

Mr. Dodaro. Right. I understand what you are saying, and I do 
not think the reviews we did specifically answered your question 
like that. 

Chairman Thompson. All right. 

Mr. Dodaro. The best answer I can give you is that the defi¬ 
ciencies that are noted are serious ones, which means they have a 
major element of their program missing, and it is not just a nu¬ 
ance. 

Chairman Thompson. This is not news to them that they have 
these deficiencies? 
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Mr. Dodaro. In most cases, it is not news. One of the things, 
though, that has really driven home this point is the fact that we 
started doing what is known as penetration testing, as you men¬ 
tioned. Before, we had talked about the fact that agencies had 
weaknesses and vulnerabilities, but they did not really believe it, 
so we were able to now sit down with the tools that are available 
and the people that we have hired and go in and actually show 
them how we can enter their systems. 

Chairman Thompson. How long would it take you to train an 
amateur, just anyone with just rudimentary or hardly any skills at 
all, using the tools that you had to hack into these computers? 

Mr. Dodaro. I will ask Keith or Bob to elaborate, but it would 
not take very long. A lot of those are well-known tools. Most of the 
hackers are self-taught over a period of time. There are also tech¬ 
niques where, with the auditors, we have used techniques called 
social engineering where all you do is call somebody up over the 
telephone and tell them you would like to have a password to get 
into their system. You are able to persuade them to ^ve you that 
information over the telephone. This requires no technical training, 
and some of the other software tools are so automated now in 
terms of automated dialers that can go through until you can hit 
and dial in on a modem, but I will ask Keith to elaborate. 

Mr. Rhodes. I could turn you into a hacker with one keystroke. 
That is how long it would take, if I had the right tools. I would 
bring it up on your computer and say, Senator, put the mouse here. 
Click that button and it will go, because the tools have been auto¬ 
mated. They have put a nice front end on them. I can sit down. 
Some of them are very stealthy. Some of them are very noisy. But 
it is a matter of you do not have to be a rocket scientist to break 
into systems anymore. 

Chairman Thompson. Also, I believe the VA does not have a 
monitoring system, is that correct? So that if someone gets in 
there, they can stay forever, presumably, because there is no mon¬ 
itoring. Explain the problem with that. 

Mr. Dacey. The situation is similar to the one we talked about 
in Social Security in the prior panel. They do not have a process 
to really identify unusual or suspicious activity taking place, either 
by employees who are exceeding their authority or by others who 
are trying to break into the system. The incidents when we did our 
penetration testing were not detected by other systems and this is 
one of the major weaknesses that we report in our report to them. 

Mr. Dodaro. This is one area, too. Senator, like, for example, the 
IRS browsing situation that you mentioned that led to the legisla¬ 
tion to have criminal penalties. For years, IRS did not have in 
place a system that effectively allowed them to monitor that type 
of activity, so that is a fairly common problem. That is one element 
of this comprehensive plan that we are trying to get organizations 
to put in place and it is sorely lacking in many organizations. 

Mr. Rhodes. This also illustrates a point where the technology 
intersects with the management, because you can have tools that 
assist you in doing the monitoring, but you have to understand 
what thresholds you are looking for and that is a management con¬ 
sideration, so you have to understand what is too much authority, 
what is too much activity, and that is going to be an operational 
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definition that comes from the managers as opposed to the tech¬ 
nology. 

Chairman Thompson. All right. Well, listen, you have made a 
msyor contribution simply by this report here, which I hope a lot 
of people will read because you set out in detail the weaknesses. 
I think the title says it all, “Serious Weaknesses Place Critical Fed¬ 
eral Operations and Assets at Risk”.^ We thank you for that. This 
is clearly a continuing matter that we want to continue to work to¬ 
gether with you on and we admire your straightforwardness and 
competence, as always, in these matters, in highlighting these seri¬ 
ous problems that we face. 

Unless you have any closing comments to make or observations, 
I will thank you for being here again today and express our appre¬ 
ciation for your work. 

Mr. Dodaro. Thank you. Senator. 

Chairman Thompson. Thank you very much. 

We will proceed to our third and final panel, Harold Gracey, Act¬ 
ing Assistant Secretary for Information and Technology, Depart¬ 
ment of Veterans Affairs, and the Hon. John Dyer, Principal Dep¬ 
uty Commissioner, Social Security Administration. 

Gentlemen, I am sure you have enjoyed the hearing so far this 
morning. As I say, we did not particularly mean to single you out, 
but we did because you do have areas that the GAO has made an 
assessment on. They will be making other assessments with regard 
to other agencies and departments in the future and I am confident 
that they will find the same kinds of problems. So we are not here 
to be overly critical of your particular agencies, but we are here to 
focus on what we plan on doing about it, the problems that we 
have. So we would appreciate any statements that you would care 
to make. 

STATEMENT OF HAROLD F, GRACEY, JR .,2 ACTING ASSISTANT 
SECRETARY FOR INFORMATION AND TECHNOLOGY, DE¬ 
PARTMENT OF VETERANS AFFAIRS 

Mr. Gracey. Mr. Chairman, Members of the Committee, I am 
pleased to be here, in spite of what I have had to listen to this 
morning, because part of my job, like everybodys in government, 
is to take things that are not perfect and make them better. 

You have my formal written statement, which I would ask to be 
included in the record. 

Chairman Thompson. It will be made a part of the record. 

Mr. Gracey. To save time and to focus on where I am con¬ 
centrating, I would only add that I share your concern about infor¬ 
mation systems security. I came to this current job only 3 months 
ago from being the Chief of Staff of the Department of Veterans Af¬ 
fairs for the previous 4V2 years. This was the first issue that land¬ 
ed on my doorstep and the piece of it that I am most concerned 
about is that this is not new news to our Department. It is, how¬ 
ever curiously, and perhaps it points to the issue of awareness, the 
first I have heard, in spite of having been at the right hand of the 


* GAO Report entitled “Information Security: Serious Weaknesses Place Critical Federal Oper¬ 
ations and Assets at Risk,” appears in the Appendix on page 127. 

2The prepared statement of Mr. Gracey ap^ars in the Appendix on page 74. 



26 


Secretary and Deputy Secretary for 3 years, that we had a signifi¬ 
cant problem in the area of information system security. 

The systems we operate at our Department contain much crucial 
and sensitive data on millions of our Nation’s veterans. Safeguard¬ 
ing that information and protecting those systems is very impor¬ 
tant to the trust that veterans have in us and in the government. 
It is important to me, it is important to the Department at large, 
and we have acted quickly now on some of the specific issues the 
GAO has pointed out and our own Inspector General has pointed 
out in the course of their reviews. We are addressing those individ¬ 
ual problems, solving those individual problems. 

We have also acted to strengthen our planning, but I think I 
would agree with Mr. Dodaro from GAO, who said earlier that we 
have much work to do, first communicating among ourselves, to 
our employees, to our managers the criticality of this issue. 

Second, not only completing policies and plans, but making the 
policies and plans real, turning them into action on which real 
changes are made, and then making sure that our protective ac¬ 
tions work, monitoring not just whether people have followed the 
guidance, but whether the guidance was adequate in preventing 
the problem, making sure that our systems are safe and secure. 

That is all I would, offer now. I would be pleased to answer any 
of your questions. 

Chairman Thompson. Thank you very much. 

Mr. Dyer. 

STATEMENT OF JOHN R. DYER,i PRINCIPAL DEPUTY 
COMMISSIONER, SOCIAL SECURITY ADMINISTRATION 

Mr. Dyer. Mr.'Chairman, thank you, and I thank the Members 
of your Committee for inviting me here today to discuss the issues 
of coniputer security at the Social Security Administration. 

I would like to begin by assuring this Committee and the Amer¬ 
ican public that nothing is more important to our agency than to 
maintain the security of taxpayer information placed in our trust. 
In fact, after the creation of the Social Security program in 1935, 
the first regulation our agency issued dealt with non-disclosure of 
SSA record data. Today, this principle remains a cornerstone of ev- 
er3d:hing we do. 

We have taken actions to protect the information in our file from 
any wrongful use or unauthorized access by outside parties and it 
is important to note that SSA mainframe computers have never 
been successfully penetrated by outside parties. The agency’s em¬ 
phasis on system security is also demonstrated by the measures we 
have taken to prevent security breaches by our employees. 

We pay benefits every month to almost 50 million Americans, 
and in order to do our work, as many as 60,000 of our 66,000 em¬ 
ployees must have access on a need-to-know basis to computer 
records. This creates an inherent tension between the need of our 
workforce in being able to deliver the right benefit payment to the 
right person and the need to have the tightest possible systems se¬ 
curity. When the agency learns an employee has abused his or her 


‘The prepared statement of Mr. Dyer appears in the Appendix on page 78. 
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systems privilege, steps are taken immediately to impose penalties 
as severe as termination of employment for the individual. 

How do we ensure security in this work environment? First, SSA 
has a full-time staff devoted to systems security throughout the 
agency and SSA uses state-of-the-art software to restrict any user 
access to data except for its intended use. We are able to audit and 
monitor the actions individual employees take when using the sys¬ 
tem and we are able to investigate allegations of misuse. As part 
of our zero tolerance for fraud policy, the Commissioner issued a 
notice to all SSA employees this past June about administrative 
sanctions that will be taken against any employees who abuse his 
or her system privileges. Penalties are severe. 

Further indication of our vigilance in security issues is that So¬ 
cial Security has a Chief Financial Officer who assures that all new 
systems have financial controls to maintain sound stewardship 
over the taxpayer monies entrusted to our care. Let me briefly re¬ 
view current systems security issues at Social Security. 

As you know. Social Security has prepared a financial audit 
statement since 1987, In our 1997 statement, we received a clean 
audit opinion from our IG, through its contractor, for the fourth 
consecutive year. However, the 1997 contracting auditor, 
PricewaterhouseCoopers, also provided the agency with rec¬ 
ommendations on how we could improve our systems safeguards 
and financial management controls. 

We are in agreement with almost all the recommendations and 
over the past few months have worked closely with 
PricewaterhouseCoopers to determine how best to achieve the ob¬ 
jectives of their recommendations. PricewaterhouseCoopers is now 
reviewing our progress and will report on this effort as part of the 
fiscal year 1998 audit of SSA’s financial statements. 

The changes being made as a result of the recommendations fall 
into four primary areas: One, improved controls to protect informa¬ 
tion; two, improvement in testing our plan for maintaining continu¬ 
ity of operations; three, improvement of our software application 
development and our control policies and procedures; and four, im¬ 
proved controls over separation of duties. 

My written testimony includes detailed information about each of 
these recommendations and about the subsequent actions taken by 
SSA. In essence, over 60 percent of the PricewaterhouseCoopers 
recommendations-have been implemented and the rest are being 
addressed expeditiously. Thus, the areas GAO cited earlier this 
morning are under control. 

But I would like at this point to return to the broader concerns 
involved in the issue of computer security. By design, SSA has used 
a computer system architecture that relies almost exclusively on 
mainframe systems and centralized databases. With this architec¬ 
ture, we have been able to more tightly control computer security 
than those agencies that have to rely on local and distributive sys¬ 
tems. However, the new technological environment requires that 
SSA now move away from mainframe environments to more dis¬ 
tributive systems, and we need to carefully consider how to build 
security features in every step of the process. 

We are supportive of independent audits of our financial state¬ 
ments and of detailed testing of agency systems. We believe it is 
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important to work with various oversight bodies to review what we 
are doing and identify any issues that need to be addressed. Only 
in this way can we be assured that SSA is doing the utmost to 
maintain the security of our computer systems and the data they 
contain. 

Finally, let me repeat what I said at the outset. The Social Secu¬ 
rity Administration has no higher priority than being able to as¬ 
sure the American public that their personal records are secure. 
We also know that this is an ongoing obligation and that constant 
vigilance is required. I want to thank the Committee and you, Mr. 
Chairman, for holding this hearing and focusing on what we all 
view as a critical concern. I would be happy to answer any ques¬ 
tions you may have. 

Chairman Thompson. Thank you, Mr. Dyer. 

As you know, in 1997, under the supervision of the GAO, the So¬ 
cial Security Administration Inspector General brought in a con¬ 
tractor to examine the Social Security computer security controls 
and to perform penetration testing on the agency’s computer sys¬ 
tems. In layman’s terms, the point of the examination was to see 
whether the administration was adequately protecting itself from 
the risk of hackers breaking in from the outside and also engaging 
in computer fraud by employees from the inside. 

The GAO discovered, as you know, shortcomings in both regards. 
Weak computer password practices which greatly diminish a cru¬ 
cial line of computer defense. Audit trail mechanisms that track 
browsing by Social Security employees and databases containing 
personal information on people were not properly set up or were 
being ignored by managers. 

They found computer network control weaknesses that could re¬ 
sult in accidental or intentional alteration of birth and death 
records, as well as unauthorized disclosure of personnel data and 
Social Security numbers, unprotected modems which permit remote 
access to Social Security Administration computers over phone 
lines, making it possible for unauthorized outsiders to enter Social 
Security Administration computer networks and modify, access, de¬ 
lete data, invent employees with computer access, deny access to 
legitimate employees and shut down computer systems in large 
portions of SSA’s networks, various holes that allowed the friendly 
hacker contractors working under GAO’s supervision to penetrate 
several SSA computer systems where they were in a position to 
view, alter, delete important data, and disrupt computer services 
by shutting down or reconfiguring computer networks. 

As one example, hackers were able to take control of the SSA E- 
mail system. They could have shut it down, altered it, or have sent 
fake E-mails from any employees, including the SSA Commis¬ 
sioner. 

GAO concluded these vulnerabilities expose SSA and its com¬ 
puter systems to external and internal intrusion, subject sensitive 
SSA information relating to Social Security numbers, earnings, dis¬ 
abilities, benefits to potential unauthorized access, modification, 
and/or disclosure, and increase the risk of waste, fraud, and abuse. 
Do you essentially agree or disagree with the GAO’s findings here? 

Mr. Dyer. I agree with GAO that we need to do better. We want¬ 
ed to have the outside auditor come in and look at our systems, be- 
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cause you constantly want to have someone telling you what may 
be wrong and where you may be vulnerable. 

On the other hand, I think the way GAO has characterized this 
makes it sound as if things actually happened. A lot of what they 
are saying are potential things that could go wrong. Some of the 
areas where they have penetrated us were what I call our perim¬ 
eter systems. But I do want to emphasize that the GAO and IG re¬ 
views done by people from outside SSA, came up with things that 
we were not aware and we had not seen in previous audits that 
had been done. We are jumping on these findings. 

Chairman THOMPSON. Things did not happen because they were 
working for the government. They did not want to shut the system 
down or invent new people or things of that nature. But you do un¬ 
derstand things could have happened if they had wanted it to. 

Mr. Dyer. Sure. There were potential things that could have 
happened and that is why we all want constantly to have outside 
people looking at you and working with you so you can see where 
your vulnerabilities are. 

Chairman THOMPSON. You were not aware of previous reports, 
you said? What was that? 

Mr. Dyer. There were things that came up in this audit that had 
not been flagged for us in previous audits. That would be fair to 
say because this was, as Gene Dodaro said, a very systematic, 
broad kind of audit that had been done. 

Chairman Thompson. Mr. Gracey, you said some of this was 
news to you, too. Similar problems were previously reported by 
your own IG. I do not know if that would have been in your line 
of authority at the time or not, but I do not think this is news to 
the top levels of the Veterans Administration. 

Mr. Gracey. That unique organizational-specific, system-specific 
weaknesses existed was not news to me. That we had major 
failings in our general planning and preparation for protecting our 
systems was news to me. 

Chairman THOMPSON. You did not know that you had no security 
management program as such? 

Mr. Gracey. No, and I think, Mr. Chairman, that is one of those 
issues that reasonable people could differ on. As GAO said before 
us, we have elements of a program. Whether or not those elements 
add up to a program or not, I would not quibble, because, frankly, 
even if we had a program, I would not be happy with it because 
it is not doing what it is supposed to do. We have elements. We 
are missing other elements. We clearly have weaknesses. We are 
clearly concerned about that. 

Chairman Thompson. GAO stated today that the VA had not es¬ 
tablished an ongoing security monitoring program to identify and 
investigate unauthorized, unusual, or suspicious intrusion activity. 
Has the VA now established an ongoing program to monitor and 
detect attacks on the system? 

Mr. Gracey. We have. We have begun the establishment of such 
a system. It exists in some places. It does not exist in others. I ex¬ 
pressed, as I opened, one of the things in an organization as big 
as ours that is troublesome—we have 220,000 employees, more 
than 1,000 locations around the country—is that a plan is only as 
good as it is executed. So we need to be very sure that we put in 


51-643 98 -2 



30 


a monitoring system that not only monitors the implementation of 
the plan, but also monitors whether the plan accomplishes what it 
is supposed to accomplish—which is to prevent unauthorized access 
to our systems. 

Chairman Thompson. Mr. Dyer, it sounds like much of the risk 
in the Social Security Administration is from current employees 
who are authorized to access SSA systems but have malicious in¬ 
tentions, and you heard the testimony that perhaps there are too 
many people with access. Do you agree with that, and can you tell 
me what controls the administration has in place to catch employee 
computer misconduct now? 

Mr. Dyer. I first want to say that I agree with the GAO that you 
always have the potential for internal vulnerability from your em¬ 
ployees. On the flip side, when you look back over the aata over 
the years and what the IG and others in investigation have found, 
there have been in our case very, very few employees who have 
misused our computer systems. We have basically 99.97 percent 
good employees. I want to start with that. 

To secure SSA records from employee misconduct, we have done 
a lot of things. As I mentioned in my testimony, we toughened the 
penalties and made them very clear. We have reiterated the pen¬ 
alties in a more forceful way and we have the IG working with 
prosecutors to see if we can not get better enforcement. 

Also, we knew that we needed more intelligence, so we have in¬ 
creased, as the IG mentioned to you, the size and focus of his staff 
and given him more resources and tools for him to do his job. 

Because in many cases of employee fraud, you really cannot 
catch them before they do it, the question is how do you catch them 
after the fact? We have audit trails and we have moved to make 
them a little bit more automated and we have new systems that 
we are going to be developing for audit trails so we can utilize 
them faster. 

Chairman Thompson. It sounds like those audit trails are so vo¬ 
luminous that it encourages people maybe not to use them as much 
as they should. 

Mr. Dyer. Yes, there are a lot of data in there, and right now 
you cannot manually take advantage of all the data you get out of 
the audit trails. What we try to do is figure out what things we 
should look for. Some things, we have automated. I do not want to 
get into details, but with regard to Social Security numbers we now 
have a way that we can automatically capture some of that. 

The other thing we do is when we deal with our security officers 
around the country, we have told them what to look for, what kinds 
of profiles. We are now, with systems as the priority, moving to do 
a lot more automating so that you can go through the data fast, 
and catch trends; we can cover longitudinal distances and what 
not. So the equipment can get us the information faster. 

Also, we are learning from the data. When the IG finds some¬ 
thing or we get wind of something, we have an approach to address 
the problem. We figure out how to create a profile for that problem, 
which is what insurance companies do and other groups do when 
they are tr 3 dng to defend themselves from these kinds of activities. 

I think it is also important to get more prosecutions. You have 
got to deliver this message. The deterrent is that the employees 



31 


and others know that there is a chance they will get caught, in rea- 
sonably quick time, and that when they do get caught, the pen¬ 
alties are very severe. 

Chairman THOMPSON. Like maybe even more than a $100 fine? 

Mr. Dyer. That is right. More than 4 months suspended sentence 
at home. 

Chairman Thompson. Well, that has more to do with my other 
Committee, Judiciary, and these judges we approve that when they 
come and- 

Mr. Dyer. Any help you could give us there, we would appre¬ 
ciate. 

Chairman Thompson [continuing]. All the statements that they 
make about what they are going to do and so forth before they get 
their lifetime appointment. 

Let me ask you this, each of you. What interface have you had 
over the last year or so, or your department, with the 0MB with 
regard to addressing this problem, if any? 

Mr. Gracey. This has been a point of discussion and concern at 
the Chief Information Officers Council, which I am new to, but it 
has come up on my screen, as I said, in the first several months 
of this job. In fact, I had a meeting just 2 weeks ago with the secu¬ 
rity champion, as he is referred to, for the Chief Information Offi¬ 
cers Council, who is working to spread the best practices that Mr. 
Dodaro described, and others, around among the community of 
Federal departments and agencies. 

So I would say it has had some attention. Clearly, there are 
other things that have been more urgent, the year 2000 among 
them, but it has received some focus. It has not received the 
amount of focus inside the VA that it needs and we are going to 
cure that. 

Chairman Thompson. I am talking about specifically with regard 
to your discussions with 0MB concerning this problem. Have you 
had any discussions or directives from 0MB with regard to this 
specific problem? 

Mr. Gracey. I do not recall any directives, but there have been 
discussions, yes. 

Chairman Thompson. With whom? 

Mr. Gracey. With Ed Deseve, who is the Deputy Director for 
Management, I believe, and- 

Chairman THOMPSON. And who in your shop? 

Mr. Gracey. Myself 

Chairman THOMPSON. What was the nature of those discussions? 

Mr. Gracey. That, in fact, this was an issue of some high profile 
that we were all going to need to worry about, and then—— 

Chairman THOMPSON. Was it in the context of the Chief Finan¬ 
cial Officers or Chief Information Officers Act requirements? 

Mr. Gracey. Yes, within the context of the Chief Information Of¬ 
ficers Act and Council. And then again, I had a conversation with 
the designated champion—the Chief Information Officers Council 
works under the leadership of and in partnership with 0MB. The 
fellow, I believe, is from the Department of Commerce who has 
taken on the lead role in security. He came to visit me and my staff 
with his staff and we discussed some of the issues. We have some 
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folks working with him to get best practices, get that spread across 
our department as well as others. 

This is going to become an even bigger issue, Mr. Chairman, as 
we expand our systems to be new, more modern systems, as Mr. 

Dyer mentioned. It is an issue that we are all very much concerned 
about. 

Chairman Thompson. Have there been any directives or guide¬ 
lines that have come from 0MB with regard to this matter- 

Mr. Gracey. Not that I am familiar with. 

Chairman Thompson [continuing]. In addition to an expression 
of concern? 

Mr. Gracey. Not that I am familiar with, but I am new. 

Chairman Thompson. Well, you would know about that if they 
were lying around over there somewhere, would you not? 

Mr. Gracey. I hope I would. 

Chairman Thompson. Mr. Dyer, what about you? 

Mr. Dyer. We have had discussions with 0MB when we got our 
audited financial statement. I talked to Ed Deseve, who is the focal 
point in 0MB for this kind of thing. He heads up the management 
side. We have worked with his staff. We went through what the 
recommendations showed and what our concerns were. 

Chairman THOMPSON. Well, you keep going back to that audit, 
and that is important, but that covers a lot of stuff that we are not 
dealing with here. 

Mr. Dyer. No, but I keep saying, a lot of what the GAO has been 
alluding to or the problems they have found were found by Price- 
waterhouseCoopers when they did the financial audit. 

The second thing is that I have been on the CIO Council for a 
couple of years now and the CIO Council has moved to the front, 
next to Y2K, the whole question of security. But I will be very can¬ 
did with you, Mr. Chairman, security has to be an agency initia¬ 
tive. 0MB can send directives all over town. It can support us in 
dollars and cents, which we have received from 0MB over the 
years and from the Congress. But each agency has to decide it is 
going to do it. 

Where we find the CIO Council and these other groups useful is 
the exchange of information and knowing what is the latest infor¬ 
mation. The CIO Council sponsored a symposium recently. We sent 
some of our people to make sure we are up to speed, hearing what 
other agencies are going up against and learning, because you v 

learn from other people’s experience. 

Chairman Thompson. Well, maybe I do not understand the na¬ 
ture of their job, then. I thought the “M” in 0MB had to do with 
management. 

Mr. Dyer. Well, they focused in on the problems that we found 
and we have been working with them and the message I have got¬ 
ten from them is “fix it.” I am working on fixing the problems that 
were found. 

Chairman Thompson. Well, to be continued. I think, if nothing 
else, we all have a better understanding of the nature of the prob¬ 
lem. We are all trying to get to the same place. So let me encourage 
you to continue to do that, but also assure you that we will con¬ 
tinue to be looking at this and next time we will have all been put 
on notice of these problems and we will be asking questions about 
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what is being done in order to make progress toward dealing with 
them. 

I appreciate your being here today. Thank you very much. 

Mr. GraceY. Thank you. 

Mr. Dyer. Thank you. 

Chairman Thompson. We are adjourned. 

[Whereupon, at 11:50 a.m., the Committee was adjourned.] 




APPENDIX 


LETTER FROM MR. HUSE TO SENATOR THOMPSON 

The Hon. Fred Thompson 
Chairman, Committee on Governmental Affairs 
U.S. Senate 
Washington, DC 20510 

Dear Mr. Chairman: Thank you for the opportunity to provide the Committee on 
Governmental Affairs with a formal statement, for the record, that conv^s my 
views on the importance of the relationship between Inspectors General (IG) and 
agency heads ana changes to the IG Act that are proposed in S. 2167. 

I see the role of the Office of the Inspector General (OIG) within an agency as 
being constructive as well as instructive. I believe each OIG should ensure that its 
function exists as a valued part of the agency it serves. Too often, the model of an 
OIG’s interactivity within an agency is (because of a misunderstanding of the con¬ 
cept of IG independence) one of confrorttation and isolation. This type of interaction 
engenders an adversarial and sometimes hostile relationship between an IG and his/ 
her agency. I am convinced that this is a distortion of the Congress’ intent when 
it passed the IG Act of 1978. 

It is critical for an IG to maintain independence and objectivity and yet foster a 
positive cooperative relationship with the head of his/her agency. IGs must balance 
their need for independence with an equal responsibility to become a valued partner 
in the agency they serve. This relationship should be built on a foundation of mu¬ 
tual respect. To attain this relationship, tne IG must be perceived as fair-minded. 
As agents of positive change, IGs must ensure that their activities are above-board 
and that they do not hold the agency to a different set of standards than they hold 
themselves. This enhances an agency’s trust in the OIG and makes the head of the 
agency more amendable to their recommendations. An IG whose reports and counsel 
are ignored or rejected has no utility. 

Regarding the proposed changes to the IG Act, I believe the most important one 
is giving each IG a fixed term. Because an IG needs to sustain a relationship of re¬ 
spect and self-confident counsel with the head of an agency, they need legislated 
tenure over fixed terms of office. This legislative adjustment would ensure that IGs 
maintain their independence within an agency’s organizational structure. IG tenure 
and fixed terms would also attenuate the tendency of some IGs to distance them¬ 
selves from the leadership of their agencies. 

If I can be of any further assistance regarding this matter, please call me or have 
your staff contact Stephanie J. Palmer, Acting Assistant Inspector General for Ex¬ 
ternal Affairs. 

Sincerely, 

James G. Huse, Jr. 

Acting Inspector General 
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Mr. Chairman and members of the Committee, thank you for inviting me to appear today to 
discuss system security weaknesses and employees who took advantage of these weaknesses to 
commit fraudulent activities at the Social Security Administration (SSA). 

In response to a request from this Committee regarding the vulnerabilities of SSA systems, we 
have come to discuss the types of cases that have the highest priority; that is, employee fraud 
cases. When the SSA Office of the Inspector General (OIG) was established, the Commissioner 
of Social Security asked that employee integrity investigations be our paramount mission. System 
security is very important, and although we can have the best security in place, if employees are 
compromising system security, the system becomes flawed. 

Identifying, investigating, and prosecuting SSA employees who inappropriately or criminally 
misuse their access to SSA electronic records systems to commit program fraud and other crimes 
is the number one priority of the SSA OIG. SSA components through our fraud referral process, 
inform OIG of suspicious behavior or allegations of suspicious behavior by employees for 
evaluation and consideration. This includes the results of periodic audits of employee system 
accesses that supervisors are required to conduct. Because of SSA OIG’s cooperative 
relationship with SSA, we are able to deter employee fraud by seeking prosecution against 
employees who commit criminal violations and publicizing these prosecutions. 

One of SSA OIG’s major efforts in the detection of fraud is OPERATION CLEAN SLATE, 
which is designed to identify and prosecute employees who fraudulently manipulate SSA’s 
electronic record systems to commit program fraud and other crimes. Under OPERATION 
CLEAN SLATE we have a number of initiatives designed to identify employees who abuse the 
Social Security data they have access to. We also exchange information with other Federal law 
enforcement agencies, such as the United States Secret Service, the Immigration and 
Naturalization Service, and numerous State and local law enforcement agencies, to vigorously 
investigate and prosecute career criminals who deal in Social Security fraud. 

Today we will discuss some of the cases and projects that resulted from OPERATION CLEAN 
SLATE. 

One of these projects, OPERATION PINCH, was initiated in late 1995, when SSA advised OIG 
of a possible corrupt employee in a New York Office. This fact was coupled with information 
received from the Citicorp Fraud Investigation Unit, Hagerstown, Maryland, who contacted SSA 
OIG in early 1996 to advise us of a major credit card fraud ring operating in the New York area. 
They informed us that stolen credit cards were being activated by contacting an "800” telephone 
number and supplying the card holder’s name, SSN, and mother’s maiden name. Citibank 
provided us with a list of 52 fraudulently activated credit card holder’s SSNs and requested that 
SSA initiate data runs to determine if any SSA employees queried the same SSNs through the 
SSN data base on or about the activation date of the credit card holder’s card. With full 
cooperation from SSA, a query of Social Security records found that employees had accessed the 
subjects records. 
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OPERATION PINCH was a criminal investigation in which a group of West African co¬ 
conspirators targeted the SSA data base for information needed to activate stolen credit cards for 
financial gain. These individuals obtained the SSNs associated with the stolen credit cards from 
various sources who had access to credit bureau records. They accomplished their goal by 
providing lists of SSNs to either SSA employees directly or indirectly through other associates. 
They elicited the SSA data for mothers’ maiden names by offering bribes to the SSA employees. 
Many credit card companies require customers to contact a “800” telephone number to activate 
credit cards and require that SSNs and mothers’ maiden names be provided as identification 
requirements. By using an audit trail software established by SSA to associate inquiries made of 
SSA computer system records by SSA employees, via a personal identification number, OIG and 
SSA were able to identify potential criminal violations. In addition, the investigation revealed that 
mother’s maiden names and dates of birth were also being used by the West African co¬ 
conspirators to change the addresses of the true account holders and identity takeovers for illegal 
purposes; i.e., fraudulent loans, etc. No Social Security d^^a of the actual account number 
holders were affected in any manner. 

Through March 1996 to June 1996, the financial community continued to provide additional data 
to be run against the SSK files accessed by suspect employees. The data matches resulted in the 
identification of several employees. Through the interviews of these suspect employees, their 
admittances, and further investigation, additional employees, contract security guards at SSA 
facilities, and several West African and other co-conspirators were identified and prosecuted. 
Credit card fraud investigators from Citibank, Chase Manhattan Bank, Bank of America, and 
NOVUS provided additional information to us on stolen credit cards and their subsequent 
activation and the West African Task Force of the United States Secret Service supported our 
Agency’s investigation. 

This information resulted in the identification of several credit card fraud conspiracies in the 
New York area that included 12 SSA employees, 3 contract SSA Security Guards, and a 
New York City Human Resources Administration case investigator. Two employee 
investigations also took place in Milwaukee, Wisconsin, and Los Angeles, California. In addition, 
co-conspirators were also developed in Washington, D C., Baltimore, Maryland, and Dallas, 
Texas. During the course of our investigation we determined that 20,000 names were furnished 
by SSA employees to the West African co-conspirators. According to financial institutions, fraud 
loss per activated stolen credit cards is estimated at $3,500. The credit card companies estimated 
the loss at $70,000,000. These dollar amounts reflect the total amount of fraud perpetrated by 
various criminals and should not be attributed to activities conducted by SSA employees alone. 
Throughout this investigation we have been able to identify that these 12 employees accessed 
thousands of SSN records and, based on the interviews of the employees, they received 
approximately $10 to $50 per SSN run. 


2 



39 


Now I would like to specifically address seven investigations that were part of Project 
OPERATION PINCH in the New York Field Division: 

1. Of the 52 SSNs provided by Citibank, 23 had SSN queries made by SSA employee 
LESLIE ALVARADO prior to the activation of the cardholders stolen credit card. 

MS. ALVARADO was a GS-8 Contact Representative in the Boro Hall District Office in 
Brooklyn, New York. During an interview with Special Agents from our office, 

MS. ALVARADO admitted to obtaining 30 Social Security account histories a day for a period 
of 2 years. She informed us that she provided the SSNs to a West Afncan employee of the 
New York City Department of Human Resources Administration, Department of Social Services 
who used the information to activate stolen credit cards She also obtained a second Social 
Security account number for the city employee, knowing that he already had a number issued to 
him. 

MS. ALVARADO subsequently resigned from her position with the SSA and was arrested for 
Conspiracy to Commit Computer Fraud. MS. ALVARADO later pleaded guilty to two felony 
counts. The first count was for Conspiracy to Commit Unlawful Accessing of the Social Security 
Administration’s data bases, and the second count was for Unlawful Issuance of a Second Social 
Security account number. She was sentenced to 5 years supervised probation and ordered to pay 

a $100 fine. 

% 

2 . Another query of the SSN data base identified YOLANDA MILFORD, a GS-5 Claims Clerk 
in the North-Eastern Program Center in Jamaica, New York, who accessed the SSA system at an 
unusual high rate. The SSA records reflected that MS. MILFORD, who had minimal need to 
access the data base system, had conducted 655 record searches in a 6-month period. During an 
interview, MS MILFORD admitted selling 1,000 to 1,500 account records to co-conspirators for 
between $10 and $20 each. 

MS. MILFORD resigned from her position with the SSA and was arrested July 15, 1996, for 
Conspiracy to Commit Credit Card Fraud and Conspiracy to Commit Computer Fraud. She 
pleaded guilty to one count of bribery on October 10, 1996. On March 14, 1997, 

MS. MILFORD was sentenced to 4 years probation and fined $2,000. 

3. Based on the results of a local District Attorney search warrant, numerous Social Security 
records were obtained from a private New York residence. A review of these documents 
revealed that CARLA AMEVOR, a GS-8 SSA Contact Representative in the Jersey City, 

New Jersey, Teleservice Center, had accessed these accounts. During our interview, 

MS. AMEVOR admitted providing approximately 100 SSN records to a West Afncan co¬ 
conspirator and receiving $15 per record, totaling $1,500 in illegal payments. 
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MS. AMEVOR resigned from her position with SSA and was arrested November 19, 1996, for 
Conspiracy to Commit Computer Fraud. MS. AMEVOR pleaded guilty on January 22, 1997 to 
Conspiracy to Engage in Unauthorized Use of a Government Computer. She was sentenced on 
April 30, 1997, to 2 years probation with the special condition to seek psychological counseling 
and fined SSOO. 

4. Another query of the SSN data base identified ERNEST MACASET, a GS-4 Clerk Typist at 
the Flatbush District Office in Brooklyn, New York. During our interview, MR. MACASET 
advised us that he had been approached by the contract SSA Security Guard at his office to sell 
Social Security record information for $50 to $100 per record. Between November 1995 and 
April 1996, MR. MACASET sold SSN records to the guard. He further advised us that since 
the guard only paid him $40 per record, he discontinued selling SSA records. He further 
identified a West Afiican co-conspirator as an individual to whom he sold SSA records for 

$50 per record from April 1996 through the end of July 1996. MR. MACASET was 
immediately terminated from SSA employment and was later arrested for bribery. On 
March 6, 1997, he entered a guilty plea for one count of Disclosure of Confidential Information. 
On July 3, 1997, he was sentenced to 3 years probation, fined $8,343, and ordered to pay 
restitution in the amount of $20,239 to financial institutions. 

5. Through our investigations of employees at the Flatbush District Office of SSA, 

EUGENE RYBALSKY, a Stay-in-School Clerk Typist (SIS) (GS-4), was identified as accessing 
SSA records and furnishing them to the office Security Guard. During the interview, 

MR. RYBALSKY refused to cooperate. 

MR. RYBALSKY was immediately terminated from SSA employment and was later arrested on 
November 19, 1996, for violation of bribery. On January 31, 1997, MR. RYBALSKY pleaded 
guilty to one count of Disclosure of Confidential Information. He was sentenced on 
May 2, 1997, to 3 years probation, 200 hours community service, and fined $25. 

6. Through our investigations of employees at the Flatbush District Office, 

MICHAEL WATKINS, SIS Clerk Typist (GS-4), was identified as accessing SSN records and 
selling them to the office Security Guard. During our interview, MR. WATKCNS admitted to 
providing SSA records to the office Security Guard. A review of SSN records revealed that 
MR WATKINS conducted approximately 2,400 SSN searches in 18 months. MR WATKINS 
was immediately terminated from SSA employment and later arrested in November 19, 1996, for 
bribery, more specifically, for his involvement in the sale of SSN records. On January 28, 1997, 
he pleaded guilty to 1 count of Disclosure of Confidential Information. On April 29, 1997, he 
was sentenced to 2 V 2 years probation and 6 months home confinement. 

7. A further review of SSN data base records in comparison to stolen credit card activation 
identified LENA MORTON, a GS-5 Claims Clerk in the Bronx River Parkway Branch Office, as 
accessing data base records. During our interview, MS. MORTON admitted to selling Social 
Security account records to the former Security Guard at her office for $15 per record. 
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MS. MORTON was terminated from SSA employment and was later arrested on 
September 19, 1996, for violation of Conspiracy to Commit Computer Fraud. On 
March 6, 1997, she pleaded guilty to one count of bribery. She was sentenced on July 7, 1997, to 
3 years of supervised probation, assessed a $100 fine, and mandated to receive drug counseling. 

Now I would like to discuss several additional significant employee cases that we have 
investigated that have resulted in prosecution. 

1. On July 10, 1995, the SSA’s Regional Security Office in San Diego, California, notified the 
recently established SSA OIG of allegations made by a private citizen that WILLIAM JOSEPH 
YUST (Case No. L-95-01454-6) had charged two individuals $100 each to waive the 
overpayments debited against their Social Security accounts. The SSA OIG opened an 
investigation and 4 months later learned from SSA management that MR. YUST’s wife was 
reportedly threatening to advise the police that he was also selling Social Security cards. 

A subsequent investigation by SSA OIG investigators revealed that MR. YUST illegally 
processed approximately 160 original or duplicate Social Security cards for approximately 
133 individuals who were not entitled to have them. He admitted selling the Social Security 
numbers and cards for $200 each and using the proceeds to purchase drugs. MR. YUST 
explained that he »vas able to thwart detection of his unauthorized activity by altering the office 
code associated with each of his entries in the computer system. By changing his assigned office 
code to reflect the codes of various offices throughout the Nation, he reduced the likelihood that 
periodic security reviews would detect any unusual patterns of activity. 

On May 5, 1997, MR. YUST pleaded guilty to one felony count of accepting a bribe and one 
felony count of processing and causing to be issued unauthorized Social Security numbers and 
cards. He was sentenced on August 4, 1997, to serve 3 years.of supervised probation, to 
complete 50 hours of community service, and to pay a special penalty of $100. MR. YUST’s 
employment was terminated on May 24, 1997, after a lengthy period of administrative leave. 

2. The following case was initiated in 1997 by SSA OIG based on a referral from an outside law 
enforcement agency. This information was developed while debriefing a subject in a narcotics 
investigation. The subject provided information, which led to the identification of SSA employee 
KATHLEEN DAIGRE (Case No. C-97-00I24-D) who was running a scheme to defraud SSA. 

A preliminary review of SSA records revealed MS. DAIGRE was employed as a GS-9 Benefit 
Authorizer at the SSA Payment Center in Kansas City, Missouri. In the capacity of Benefit 
Authorizer, MS. DAIGRE authorized SSA checks to be written and mailed to persons entitled to 
Social Security benefits. 

Based on this information, SSA OIG requested that the SSA Security and Integrity Team perform 
a review of the SSNs that MS. DAIGRE had accessed as a part of employment. The review 
revealed that MS. DAIGRE had accessed and changed Social Security records pertaining to 
herself and family members. The Security and Integrity Service review determined that as a result 
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of the changes MS. DAIGRE had made to the Social Security records, unauthorized checks were 
issued from October 2, 1995 through November 2, 1996, to ten deceased beneficiaries and two 
living beneficiaries. MS. DAIGRE had changed the addresses of these beneficiaries in the Social 
Security records to reflect her address or her fiiends’ addresses. In order to make the checks look 
legitimate, MS. DAIGRE used one of her former married names, her maiden name, or some 
variation thereof Through interviews conducted by SSA OIG Special Agents, it was also 
established MS. DAIGRE had conspired with MS. JUDITH METCALF, a GS-9 Benefit 
Authorizer in the same Payment Center, to issue SSA checks to herself, her husband, her son, and 
a fiiend. The amount of the fraudulent checks issued by MS. DAIGRE and MS. METCALF 
totaled $174,312.30. 

MS. DAIGRE and MS. METCALF were charged with Theft of Government Funds and 
Property. Both resigned their positions with SSA and entered into plea agreements for these 
charges with the stipulation that they confess to their wrongdoings and make restitution. 

MS. DAIGRE was ordered to serve 15 months in prison, 3 years probation, and pay restitution 
to SSA in the amount of $174,312.30. MS. METCALF was ordered to serve 5 years probation 
and pay restitution to SSA in the amount of $20,933.10. 

3. In November 1993, a Chicago bank referred a case to OIG regarding suspicious account 
activity held by ALBERT IRWIN (Case No. 5-93'01021-6), a GS-9 Benefit Authorizer at the 
Social Security Great Lakes Program Service Center. As a result of this referral, the SSA Great 
Lakes Program Service Center Integrity Staff conducted a review of MR. IRWIN’s computer 
traffic and confirmed suspicious activity. In mid-1995, SSA OIG Special Agents interviewed 
MR. ERWIN who signed a written statement confessing to SSA fraud. Approximately 2 weeks 
later he resigned from his position with SSA. 

The investigation disclosed that MR IRWIN generated “one-check-only payments” to fictitious 
individuals by entering false data into the records of existing beneficiary accounts. By way of 
explanation, a “one-check-only payment" is a one-time, retroactive payment that can be sent to 
any person, account or address. For example, a survivor could receive an underpayment on a 
number holder’s account. MR IRWIN had a total of $84,463 directly deposited through such 
false entries to his personal account a the Chicago bank. He withdrew the money from his 
account and spent it for personal use. 

In October 1996, MR IRWIN pleaded guilty to one count of Wire Fraud in Federal District 
Court in Illinois and was sentenced to 1-year incarceration and restitution of $7,200. 

4. The SSA OIG received an allegation that an SSA employee had improperly and maliciously 
changed the record (within the SSA data base) of an acquaintance. The fraud was initially 
detected when the victim applied for a bank loan. Through queries made by the bank, it was 
discovered that records pertaining to the victim reflected she was deceased. The victim personally 
called in the complaint. 
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The aUegation identified JORGE A. YONG (Case No. F-97-0032J-C). a GS-11 Claims 
Representative at the Belle Glade, Florida District Office, as the subject. Allegedly, 

MR. YONG made an entry into the Social Security number record of the victim to indicate she 
was deceased. The victim is living in Naples, Florida. 

The SSA OIG initiated an investigation and interviewed the complainant, the suspect, and 
employees of the Belle Glade, Florida District Office. The electronic logs for the SSA computer 
system were reviewed to develop a history of the entries made to the victim’s account. That 
review found that another employee of the Belle Glade, Florida District Office had entered the 
date of death on the victim’s record. Although that employee denied any wrongdoing, she 
recalled occasions she had left her SSA computer terminal unattended and returned to find other 
CO workers using it. 

We found that the victim and MR. YONG were acquainted via Internet communications. The 
two had a disagreement, which precipitated MR. YONG’s ban from an Internet chatroom they 
both frequented. Another Internet party informed the victim that MR. YONG had mentioned he 
had the ability to have the victim’s SSN reflect that she was deceased. 

MR. YONG was interviewed and admitted he had queried the Social Security data base 
concerning the victim. He also admitted that he used a coworker’s terminal to make the date of 
death input into the victim’s record. He confessed that he made these queries and inputs because 
of a personal conflict he had with the victim. MR YONXi subsequently resigned from 
employment v/ith SSA. 

Pursuant to an appearance before the U S. District Court in Ft. Lauderdale, Florida, MR YONG 
pleaded guilty to one count of falsifying the personal data filed and deposited with an agency of 
the United States. He was sentenced to I-year probation, ordered to pay restitution in the 
amount of $700 to the victim, and pay a special assessment of SI 00 to the court. Additionally, he 
is expected to maintain a full-time job and refrain from Internet access during his probation 
period. 

5. The SSA OIG received information alleging that Nationwide Electronic Tracking, Inc., of 
Tampa, Florida, was selling confidential Government information, including Detailed Earnings 
Queries unlawfully obtained from SSA and National Crime Information Center (NCIC) criminal 
histories unlawfully obtained from the Department of Justice (DOJ). An 18-month undercover 
investigation ensued which substantiated the allegation and resulted in the conviction of 
21 individuals including 5 SSA employees, 1 SSA Government contractor, 2 law enforcement 
officials, and 1 Army Criminal Investigations Division Officer. 

This case involved cooperating witnesses who bought and sold non-public information such as 
SSA records (Detailed Earnings Queries and SSN Queries) and DOJ - NCIC criminal histories. 
The investigation traced a nationwide network of information brokers and their sources. Even 
though this investigation dealt primarily with the theft of protected United States Government 
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information, it also showed how information brokers gathered protected information by “pre¬ 
texting" or “gagging.” These practices involve tricking an individual via a telephone call, into 
providing information unwittingly; a violation of Fraud by Wire. 

DONALD L. WRIGHT (Case No. 4-90-00327-6), a GS-7 Teleservice Center Representative at 
the Ft. Lauderdale Teleservice Center, had access to SSA’s computer network. Our investigation 
substantiated that MR. WRIGHT had accepted bribes from information brokers in exchange for 
conducting unauthorized inquiries of Social Security records. MR WRIGHT reportedly 
received approximately $3,000 for SSA information. He resigned from SSA after being 
interviewed by SSA OIG Special Agents. 

For his role in the unauthorized access and sale of Government information, MR WRIGHT was 
indicted and charged with a violation of Conspiracy. He eventually pleaded guilty to conspiracy 
and was sentenced to 2 months incarceration, 4 months of home detention with electronic 
monitoring, Vh years probation, and a special assessment of $50. 

The other subjects of this investigation were also convicted of various felony statutes including 
bribery, unauthorized disclosure of tax return information, theft of Government property, and 
conspiracy. 

6. In March 1995, the following case was referred to OIG from the SSA Regional Security Staff 
in New Jersey, who had been contacted by a small New Jersey Bank regarding suspicious activity. 
The bank reported that a number of SSA electronic fund transfers (EFTs) in the amount of $2,999 
each had been deposited into one of their customer’s accounts. The EFTs were in different names 
and SSNs. 

On March 24, 1995, the SSA OIG interviewed the account holder, who was not an SSA 
employee. The subject denied knowing how or why SSA funds had been sent to his savings 
account; however, he did admit to withdrawing and using the money in the account 

On March 28, 1995, SSA OIG, working with the SSA Northeastern Program Service Center 
(NEPSC) Security and Integrity Staff, determined that RONALD SNODDY (Case No. 2-95- 
00300-6), a GS-9 Benefit Authorizer at the NEPSC, was involved in a scheme to defraud SSA. 
The investigation disclosed that, in his capacity as a Benefit Authorizer for SSA, MR. SNODDY 
authorized wire transfers of SSA funds to bank accounts held by himself and others who were not 
entitled to receive such funds. From March 1994 through March 1995, MR. SNODDY 
transferred approximately $328,731 in this manner. 

The investigation led to the identification and prosecution of additional account holders, who 
were not SSA employees, who received SSA funds from MR SNODDY through New Jersey 
and New York banks.' 
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On April 6, 1995, MR SNODDY was arrested by SSA OIG Special Agents on charges involving 
Wire Fraud and Money Laundering. On June 5, 1995, MR SNODDY resigned his position at 
SSA. On September 28, 1995, MR SNODDY pleaded guilty in U.S. District Court, Newark, 
New Jersey, to an Information charging him with Wire Fraud and Aiding and Abetting in Wire 
Fraud. On July 12, 1996, he was sentenced to 4 months imprisonment, 4 months home 
confinement. 3 years supervised release, restitution of $50,000, and a special assessment of $50. 
The Court waived the fine, however, due to the inability of the defendant to pay. 

Employee fraud cases represent the smallest number of cases we investigate; however, employee 
fraud is the most serious matter that we must deal with effectively. We believe publicizing the 
cases we investigate and successfully prosecute is an effective deterrent against future employee 
fraud. OIG publicizes fraud cases by distributing fact sheets to SSA Regional Public Affairs 
Officers and SSA headquarters personnel. The Regional Public Affairs Officers prepare press 
releases and work with the local field office managers to get media coverage and to issue the 
press releases. We also transmit the findings to SSA Headquarters for distribution to SSA 
employees via SSA publications. In this way, prosecutions are made public and all SSA 
employees are made aware of the fact that employee misconduct will not be tolerated. Increasing 
OIG resources and recent access into SSA systems, will increase our abilities to identify and 
monitor suspicious activity and vulnerable areas. We are dedicated to eliminating employee fraud 
and misconduct at SSA. I wish to thank the Committee again for focusing on this important and 
serious issue and would be pleased to answer any questions you may have at this time. 
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Mr. Chairman and Members of the Committee: 


I am pleased to have this opportunity to provide an assessment of the current state of 
information security in fedei^ government. Our most recent report, done at the request of 
this Committee, delineates the serious information security weaknesses placing critical 
operations and assets at risk and outlines actions needed to further improve security 
practices across government The two agencies that you asked us to focus on today-the 
Department of Veterans Affairs and the Social Security Administration-illustrate the types 
of risk facing individual departments and agencies as well as actions required to 
strengthen security management Recent efforts by these organizations and others 
throughout government are encouraging because they signify increasing attention to 
information security concerns, but as we will discuss today, additional measures are 
necessary for the federal government to develop and maintain a truly effective security 
management program. 

INroR^U T10 N■Jm^BlIy-.IS■DBAMNfi 
I NC REASED ATTE NT ION 

We last provided you an overview of federal information security in September 1996. At 
that time, serious security weaknesses had been identified at 10 of the largest 15 federal 
agencies, and we concluded that poor information security was a widespread federal 
problem.' We recommended that the Office of Management and Budget (0MB) play a 
more active role in overseeing agency practices, in part through its role as chair of the 
then newly established Chief Information Officers (CIO) Council. Subsequently, in 
Februaiy 1997, as more audit evidence became available, we designated information 
security as a new govemmentwide high-risk area in a series of reports to the Congress.^ 

During 1996 and 1997, federal information security also was addressed by the President’s 
Commission on Critical Infrastructure Protection, which had been established to 
investigate our nation's vulnerability to both "cyber" and physical threats. In its October 
1997 report. Critical Foundations: Protecting America’s Infrastructures , the Commission 
described the potentially devastating implications of poor information security from a 
national perspective. The report also recognized that the federal government must ’’lead 
by example," and included recommendations for improving government systems security. 
This report eventually led to issuance of Presidential Decision Directive 63 in May 1998, 


' Information Security: Opportunities for Improved 0MB Oversight of Agency Practices 
(GAO/AlMD-96-110, September 24, 1996). 

^ High Risk Series: Information Management andJechnolQgy (GAO/HR-97-9, February 
1997). 
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which I will discuss in corgunction with other govemmentwide security improvement 
efforts later in my testimony. 

POTENTIAL RISKS ARE INCREASING 

As hearings by this Committee have emphasized, risks to the security of our government's 
computer systems are significant, and they are growing. The dramatic increase in 
computer interconnectivity and the popularity of the Internet, while facilitating access to 
information, are factors that also make it easier for individuals and groups with malicious 
intentions to intrude into inadequately protected systems and use such access to obtain 
sensitive information, commit fraud, or disrupt operations. Further, the number of 
individuals with computer skills is increasing, and intrusion, or "hacking," techniques are 
readily available. 

Attacks on and misuse of federal computer and telecommunication resources are of 
increasing concern because these resources are virtually indispensable for carrying out 
critical operations and protecting sensitive data and assets. For example, 

weaknesses at the Department of the Treasury place over a trillion dollars of 
annual federal receipts and payments at risk of fraud and large amounts of 
sensitive taxpayer data at risk of inappropriate disclosure; 

weaknesses at the Health Care Financing Administration place billions of dollars of 
claim payments at risk of fraud and sensitive medical information at risk of 
disclosure; and 

weaknesses at the Department of Defense affect operations such as mobilizing 
reservists, paying soldiers, and managing supplies. Moreover, Defense's warfighting 
capability is dependent on computer-based telecommunications networks and 
information systems. 

These and other examples of risks to federal operations and assets are detailed in our 
report Information Security: Serious Weaknesses Place Critical Federal Operations and 
Assets at Risk (GAO/AIMD-98-92), which the Committee is releasing today. Although it is 
not possible to eliminate these risks, understanding them and implementing an 
appropriate level of effective controls can reduce the risks significantly. Conversely, an 
environment of widespread control weaknesses may invite attacks that would otherwise 
be discouraged. 

SERIOUS WEAKNESSES CONTINUE 
TO BE IDENTIFIED 

As the importance of computer security has increased, so have the rigor and frequency of 
federal audits in this area. During the last 2 years, we and the agency inspectors general 
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(IGs) have evaluated computer-based controls on a wide variety of financial and 
nonfinancial systems supporting critical federal programs and operations. Many of these 
audits are now done annually. This growing body of audit evidence is providing a more 
complete and detailed picture of federal information security than was previously 
available. 

The most recent set of audit results that we evaluated-those published since March 1996- 
describe significant information security weakness in each of the 24 federal agencies® 
covered by our analysis. These weaknesses cover a variety of areas, which we have 
grouped into six categories of general control weaknesses. 

Access Control Weaknesses 

The most widely reported weakness was poor control over access to sensitive data and 
systems. This area of control was evaluated at 23 of the 24 agencies, and weaknesses 
were identified at each of the 23. Access control weaknesses make systems vulnerable to 
damage and misuse by allowing individuals and groups to inappropriately modify, destroy, 
or disclose sensitive data or computer programs for purposes such as personal gain or 
sabotage. Access controls limit or detect inappropriate access to computer resources 
(data, equipment, and facilities), thereby protecting them against unauthorized 
modification, loss, and disclosure. 

Access controls include physical protections, such as gates and guards, as well as logical 
controls, which are controls built into software that (1) require users to authenticate 
themselves through the use of secret passwords or other identifiers and (2) limit the files 
and other resources that an authenticated user can access and the actions that he or she 
can execute. In today's increasingly interconnected computing environment, poor access 
controls can expose an agency's information and operations to potentially devastating 
attacks from remote locations all over the world by individuals with minimal computer 
and telecommunications resources and expertise. Common types of access control 
weaknesses included 

overly broad access privileges inappropriately provided to very large groups of 
users; 

access that was not appropriately authorized and documented; 

multiple users sharing the same accounts and passwords, making it impossible to 
trace specific transactions or modifications to an individual; 


®These agencies accounted for 99 percent of reported federed net outlays in fiscal year 
1997. 
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inadequate monitoring of user activity to deter and identify Inappropriate actions, 
investigate suspicious activity, and penalize perpetrators; 

improperly implemented access controls, resulting in unintended access or gaps in 
access control coverage; and 

access that was not promptly terminated or adjusted when users either left an 
agency or when their responsibilities no longer required them to have access to 
certain files. 

Sfi re i ce C Qnti n uity . We akn e sses 

The second most widely reported type of weakness pertained to service continuity. 

Service continuity controls ensure that, when unexpected events occur, critical operations 
continue without undue interruption and critical and sensitive data are protected. In 
addition to protecting against natural disasters and accidental disruptions, such controls 
also protect against the growing threat of "cyber-terrorism," where individuals or groups 
with malicious intent may attack an agency's systems in order to severely disrupt critical 
operations. For this reason, an agency should have (1) procedures in place to protect 
information resources and minimize the risk of unplanned interruptions and (2) a plan to 
recover critical operations should interruptions occur. To determine whether recovery 
plans will work as intended, they should be tested periodically in disaster simulation 
exercises. 

Losing the capability to process, retrieve, and protect information maintained 
electronically can significantly affect an agency's ability to accomplish its mission. If 
controls are inadequate, even relatively minor interruptions can result in lost or 
incorrectly processed data, which can cause financial losses, expensive recovery efforts, 
and inaccurate or incomplete financial or management information. 

Service continuity controls were evaluated for 20 of the agencies included in our analysis, 
and weaknesses were reported for all of these agencies. Common weaknesses included 
the following: 

Plans were incomplete because operations and supporting resources had not been 
fully analyzed to determine which were the most critical and would need to be 
resumed as soon as possible should a disruption occur. 

Disaster recovery plans were not fully tested to identify their weaknesses. One 
agency's plan was based on an assumption that key personnel could be contacted 
within 10 minutes of the emergency, an assumption that had not been tested. 
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Entitywide Program Planning and Management Weaknesses 

The third most common type of weakness involved inadequate entitywide security 
program planning and management. Each organization needs a set of management 
procedures and an organizational framework for identifying and assessing risks, deciding 
what policies and controls are needed, periodically evaluating the effectiveness of these 
policies and controls, and acting to address any identified weaknesses. These are the 
fundamental activities that allow an organization to manage its information security risks 
cost effectively, rather than reacting to individual problems ad hoc only after a violation 
has been detected or an audit finding has been reported. 

Weaknesses were reported for all 17 of the agencies for which this area of control was 
evaluated. Many of these agencies had not developed security plans for msgor systems 
based on risk, had not formally documented security policies, and had not implemented a 
program for testing and evaluating the effectiveness of the controls they relied on. 

Seg fe ga Uon -.QLBuiiesJyeakngg§£§ 

The fourth most commonly reported type of weakness was inadequate segregation of 
duties. Segregation of duties refers to the policies, procedures, and organizational 
structure that help ensure that one individual cannot independently control all key 
aspects of a process or computer-related operation and thereby conduct unauthorized 
actions or gain unauthorized access to assets or records without detection. For example, 
one computer programmer should not be allowed to independently write, test, and 
approve program changes. 

Segregation of duties is an important internal control concept that applies to both 
computerized and manual processes.^ However, it is especially important in computerized 
environments, since an individual with overly broad access privileges can initiate and 
execute inappropriate actions, such as software changes or fraudulent transactions, more 
quickly and with greater impact than is generally possible in a non-automated 
environment Although segregation of duties alone will not ensure that only authorized 
activities occur, inadequate segregation of duties increases the risk that erroneous or 
fraudulent transactions could be processed, that improper program changes could be 
implemented, and that computer resources could be damaged or destroyed. 

Controls to ensure appropriate segregation of duties consist mainly of documenting, 
communicating, and enforcing policies on group and individual responsibilities. 
Enforcement can be accomplished by a combination of physical and logical access 
controls and by effective supervisory review. 


*ritle 2, "Accounting," Appendix 11, "Standards for Internal Controls in the Federal 
Government", GAO Policy and Procedures Manual for Guidance of Federal Agencies . 
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Segregation of duties was evaluated at 17 of the 24 agencies. Weaknesses were identified 
at 16 of these agencies. Common problems involved computer programmers and 
operators who were authorized to perform a wide variety of duties, thus enabling them to 
independently modify, circumvent, and disable system security features. For example, at 
one agency, all users of the financial management system could independently perform all 
of the steps needed to initiate and complete a payment-obligate funds, record vouchers 
for payment, and record checks for payment-making it relatively easy to make a 
fraudulent payment. 

Application Software Development and Change Control Weaknesses 

The fifth most commonly reported type of weakness pertained to software development 
and change controls. Such controls prevent unauthorized software programs or 
modifications to programs from being implemented. Key aspects are ensuring that (1) 
software changes are properly authorized by the managers re'^ponsible for the agency 
program or operations that the application supports, (2) new and modified software 
programs are tested and approved prior to their implementation, and (3) approved 
software programs are maintained in carefully controlled libraries to protect them from 
unauthorized changes and ensure that different versions are not misidentified. 

Such controls can prevent both errors in software programming as well as malicious 
efforts to insert unauthorized computer program code. Without adequate controls, 
incompletely tested or unapproved software can result in erroneous data processing that, 
depending on the application, could lead to losses or faulty outcomes. In addition, 
individuals could surreptitiously modify software programs to include processing steps or 
features that could later be exploited for personal gain or sabotage. 

Weaknesses in software program change controls were identified for 14 of the 18 agencies 
where such controls were evaluated. The most common type of weakness in this area 
was undisciplined testing procedures that did not ensure that implemented software 
operated as intended. In addition, procedures did not ensure that emergency changes 
were subsequently tested and formally approved for continued use and that 
implementation of locally-developed unauthorized software programs was prevented or 
detected. 

System Software Control Weaknesses 

The sixth area pertained to operating system software controls. System software controls 
limit and monitor access to the powerful programs and sensitive files associated with the 
computer systems operation. Generally, one set of system software is used to support 
and control a variety of applications that may run on the same computer hardware. 

System software helps control and coordinate the input, processing, output, and data 
storage associated with all of the applications that run on the system. Some system 
software can change data and programs without leaving an audit trail or can be used to 
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modify or delete audit trails. Examples of system software include the operating system, 
system utilities, program library systems, file maintenance software, security software, 
data communications systems, and database management systems. 

Controls over access to and modification of system software are essential in providing 
reasonable assurance that operating system-based security controls are not compromised 
and that the system will not be impaired. If controls in this area are inadequate, 
unauthorized individuals might use system software to circumvent security controls to 
read, modify, or delete critical or sensitive information and programs. Also, authorized 
users of the system may gain unauthorized privileges to conduct unauthorized actions or 
to circumvent edits and other controls built into application programs. Such weaknesses 
seriously diminish the reliability of information produced by all of the applications 
supported by the computer system and increase the risk of firaud, sabotage, and 
inappropriate disclosures. Further, system software programmers are often more 
technically proficient than other data processing personnel and, thus, have a greater 
ability to perform unauthorized actions if controls in this area are weak. 

A common type of system software control weakness reported was Insufficiently 
restricted access that made it possible for knowledgeable individuals to disable or 
circumvent controls in a wide variety of ways. For example, at one facility, 88 individuals 
had the ability to implement programs not controUed by the security software, and 103 
had the ability to access an unencrypted secmity file containing passw 'rds for authorized 
users. 

Significant system software control weaknesses were reported at 9 of the 24 agencies. In 
the remaining 16 agencies, this area of control had not been fully evaluated. We are 
working with the IGs to ensure that it receives adequate coverage in future evaluations. 

I would, now, Uke to describe in greater detail weaknesses at the two agencies that you 
have chosen to feature today: the Department of Veterans Affairs and the Social Security 
Administration. 

WEAKNESSES AT THE DEPARTMENT QF VETE RANS AFFAIRS 

\ 

The Department of Veterans Affairs (VA) relies on a vast array of computer systems and 
telecommunications networks to support its operations and store the sensitive 
information the department collects in carrying out its mission. In a report released 
today, we identify general computer control weaknesses that place critical VA operations, 
such as financial management, health care delivery, benefit payments, life insurance 
services, and home mortgage loan guarantees at risk of misuse and disruption.® In 


Information Systems: Computer Control Weaknesses Increase Risk Qf F raud. MiSWSfc 
and Improper DLsclosure (GAO/AIM D-98- 176, September 23, 1998). 
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addition, sensitive information contained in VA's systems, including financial transaction 
data and personal information on veteran medical records and benefit payments, is 
vulnerable to inadvertent or deliberate misuse, fraudulent use. Improper disclosure, or 
destruction-possibly occurring without detection. 

VA operates the largest health care delivery system in the United States and guarantees 
loans on about 20 percent of the homes in tl»e country. In fiscal year 1997, VA spent over 
$17 billion on medical care and processed over 40 million benefit payments totaling over 
$20 billion. The department also provided insurance protection through more than 2.5 
million policies that represented £^out $24 billion in coverage at the end of fiscal year 
1997. In addition, the VA systems support the department's centralized accounting and 
payroll functions. In fiscal year 1997, VA's payroll was almost $11 billion, and the 
centralized accounting system generated over $7 billion in additional payments. 

In our report, we note significant problems related to the department's control and 
oversight of access to its systems. VA did not adequately limit the access of authorized 
users or effectively manage user identifications (IDs) and passwords. 

At one facilityi the security software was implemented in a manner that provided 
all of the more than 13,000 users with the ability to access and change sensitive 
data files, read system audit information, and execute powerful system utilities. 
Such broad access authority increased the risk that users could circumvent the 
security software to alter payroll and other payment transactions. This weakness 
could also provide users the opportunity to access and disclose sensitive 
information on veteran medical records, such as diagnoses, procedures performed, 
inpatient admission and discharge data, or the purpose of outpatient visits, and 
home mortgage loans, including the purpose, loan balance, default status, 
foreclosure status, and amount delinquent 

At two facilities, we found that system programmers had access to both system 
software and financial data This type of access could allow the programmers to 
make unauthorized changes to benefit payment information without being detected. 

At four of the five facilities we visited, we identified user ID and password 
management control weaknesses that increased the risk of passwords being 
compromised to gain unauthorized access. For example, IDs for terminated or 
transferred employees were hot being disabled, many passwords were common 
words that could be easily guessed, numerous staff were sharing passwords, and 
some user accounts did not have passwords These types of weaknesses make the 
financial transaction data and personal information on veteran medical records and 
benefits stored on these systems vulnerable to misuse, improper disclosure, and 
destruction. We demonstrated these vulnerabilities by gaining unauthorized access 
to VA systems and obtaining information that could-have been used to develop a 
strategy to alter or disclose sensitive patient information. 
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We also found that the department had not adequately protected its systems from 
unauthorized access from remote locations or through the VA network. The risks created 
by these issues are serious because, in VA's interconnected environment, the failure to 
control access to any system connected to the network also exposes other systems and 
iq}plications on the network. 

While simulating an outside hacker, we gained unauthorized access to the VA 
network. Having obtained this access, we were able to identify other systems bn 
the network, which makes it much easier for outsiders with no knowledge of VA’s 
operations or infrastructure to penetrate the department’s computer resources. We 
used this information to access the log>on screen of another computer that 
contained financial and payroll data, veteran loan information, and sensitive 
information on veteran medical records for both inpatient and outpatient 
treatment Such access to the VA network, when coupled with VA’s ineffective 
user ID and password management controls and available “hacker” tools, creates a 
significant risk that outside hackers could gain unauthorized access to this 
information. 

- At two facilities, we were able to demonstrate that network controls did not 

prevent unauthorized users with access to VA facilities or authorized users with 
malicious intent from gaining improper access to VA systems. We were able to 
gain access to both mainframe and network systems that could have allowed us to 
improperly modify payments related to VA’s loan guaranty program and alter 
sensitive veteran compensation, pension, and life irisurance benefit information. 

We were also in a position to read and modify sensitive data. 

The risks created by these access control problems were also heightened significantly 
because VA was not adequately monitoring its systems for unusual or suspicious access 
activities. In addition, the department was not providing adequate physical security for 
its computer facilities, assigning duties in such a way as to properly segregate functions, 
controlling changes to powerful operating system software, or updating and testing 
disaster recovery plans to ensure that the department could maintain or regain critical 
functions in emergencies. 

Many similar access and other general computer control weaknesses had been reported in 
previous years, indicating that VA's past actions have not been effective on a 
departmentwide basis. Weaknesses associated with restricting access to sensitive data 
and programs and monitoring access activity have been consistently reported in IG and 
other internal reports. 

A primary reason for VA's continuing general computer control problems is that the 
department does not have a comprehensive computer security planning and management 
program in place to ensure that effective controls are established and maintained and that 
computer security receives adequate attention. An effective program would include 
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guidance and procedures for assessing risks and mitigating controls, and monitoring and 
evaluating the effectiveness of established controls. However, the VA had not clearly 
delineated security roles and responsibilities: performed regular, periodic assessments of 
risk; implemented security policies and procedures that addressed all aspects of VA’s 
interconnected environment; established an ongoing monitoring program to identify and 
investigate unauthorized, unusual, or suspicious access activity; or instituted a process to 
measure, test, and report on the continu^ effectiveness of computer system, network, 
and process controls. 

In our report to VA, we recommended that the Secretary direct the CIO to (1) work with 
the other VA CIOs to address all identified computer control weaknesses, (2) develop and 
implement a comprehensive departmentwide computer security planning and management 
program, (3) review and assess computer control weaknesses identified throughout the 
department and establish a process to ensure that these weaknesses are addressed, and 
(4) monitor and periodically report on the status of improvements to computer security 
throughout the department 

In commenting on our report, VA agreed with these recommendations and stated that the 
department would immediately correct the identified computer control weaknesses and 
implement oversight mechanisms to ensure that these problems do not reoccur. VA also 
stated that the department was developing plans to correct deficiencies previously 
identified by the IG and by internal evaluations and that the VA CIO will report 
periodically on VA’s progress in correcting computer control weaknesses throughout the 
department We have discussed these actions with VA officials, and, as part of our 
upcoming review, we will be examining completed actions and evaluating their 
effectiveness. 

WEAKNESSES AT THE SOCIAL SECURITY ADMINISTRATION 

The Social Security Administration (SSA) relies on extensive information processing 
resources to carry out its operations, which, for 1997, included payments that totaled 
approximately $390 billion to 60 million beneficiaries. This was almost 26 percent of the 
$1.6 trillion in that year's federal expenditures. SSA also issues social security numbers 
and maintains earnings records and other personal iifformation on virtually all U. S. 
citizens. Through its programs SSA processes approximately 226 million wage and tax 
statements (W-2 forms) annually for approximately 138 million workers. Few federal 
agencies affect so many people. 

The public depends on SSA to protect trust fund revenues and assets from fraud and to 
protect sensitive information on individuals from inappropriate disclosure. In addition, 
many current beneficiaries rely on the uninterrupted flow of monthly payments to meet 
their basic needs. In November 1997, the SSA IG reported serious weaknesses in controls 
over information resources, including access, continuity of service, and software program 
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changes that unnecessarily place these assets and operations at risk.’ These weaknesses 
demonstrate the need for SSA to do more to assure that adequate controls are provided 
for information collected, processed, transmitted, stored, or disseminated in general 
support systems or mqjor applications. 

Internal control testing identified information protection-related weaknesses throughout 
SSA's information systems environment Affected areas included SSA's distributed 
computer systems as well as its mainframe computers. These vulnerabilities exposed SSA 
and its computer systems to external and internal intrusion; subjected sensitive SSA 
information related to social security numbers, earnings, disabilities, and benefits to 
potential unauthorized access, modification, and/or disclosure; and increased the risks of 
fraud, waste, and abuse. Access control and other weaknesses also increased the risks of 
introducing errors or irregularities into data processing operations. 

For example, auditors identified numerous employee user accounts on SSA networks, 
including dial-in modems, that were either not password protected or were protected by 
easily guessed passwords. These weaknesses increased the risk that unauthorized 
outsiders could access, modify, and delete data; create, modify, and delete users; and 
disrupt services on portions of SSA's network. In addition, auditors identified network 
control weaknesses that could result in accidental or intentional alteration of birth and 
death records, as well as unauthorized disclosure of personal data and social security 
numbers. 

These weaknesses were made worse because security awareness among employees was 
not consistent at SSA. As a result, SSA was susceptible to security penetration 
techniques, such as social engineering, whereby users disclose sensitive information in. 
response to seemingly legitimate requests from strangers either over the phone or in 
person. The auditors reported that during testing, they were able to secure enough 
information through social engineering to allow access to SSA's network. 

Further, by applying intrusion techniques in penetration tests, auditors gained access to 
various SSA systems that would have allowed them to-view user data, add and delete 
users, modify network configurations, and disrupt service to users. By gaining access 
through such tests, auditors also were able to execute software tools that resulted in their 
gaining access to SSA electronic mailboxes, public mailing lists, and bulletin boards. This 
access would have provided an intruder the ability to read, send, or change e-mail 
exchanged among ^A users, including messages from or to the Commissioner. 

In addition to access control weaknesses and inadequate user awareness, employee duties 
at SSA were not appropriately segregated to reduce the risk that an individual employee 


’Social Security Accountability Report for Fiscal Year 1997. SSA Pub. No. 31-231, 
November 1997. 
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could introduce and execute unauthorized transactions without detection. As a result, 
certain employees had the ability to independently carry out actions such as initiating and 
adjudicating claims or moving and reinstating eartUngs data. This weakness was 
exacerbated because certain mitigating monitoring or detective controls could not be 
relied on. For example, SSA has developed a system that allows supervisors to review 
sensitive or potentially fraudulent activity. However, key traivsactions or combinations of 
' transactions arc not being reviewed or foUcwed up promptly and certain audit trail 
features have not been activated. 

Weaknesses such as those I have just described increase the risk that a knowledgeable 
individual or group could fraudulently obtain payments by creating fictitious beneficiaries 
or increasing payment amounts. Similarly, such individuals could secretly obtain sensitive 
information and sell or otherwise use it for personal gain. 

The recent growth in "identity theft," where personal information is stolen and used 
fraudulently by impersonators for purposes such as obtaining and using credit cards, has 
created a market for such information. According to the SSA IG's September 30, 1997, 
report to the Congress (included in the SSA's fiscal year 1997 Accountability Report), 29 
criminal convictions Involving SSA employees were obtained during fiscal year 1997, most 
of which involved creating fictitious identities, fraudulently selling SSA car^, 
misappropriating refunds, or abusing access to confidential information. The risk of 
abuse by SSA employees is of special concern because, except for a very few individuals, 
SSA does not restrict access to view sensitive data based on a need-to-know basis. As a 
result, a large number of SSA employees can browse enumeration, earnings, and claims 
records for many other individuals, including other SSA employees, without detection. 

SSA provides this broad access because they feel that it facilitates their employees' ability 
to carry out SSA's mission. 

An underlying factor that contributes to SSA's information security weaknesses is 
inadequate entitywide security program planning and management Although SSA has an 
entity^de security program in place, it does not sufficiently address all areas of security, 
including dial-in access, telecommunications, certain msOor mainframe system 
applicatioirs, and distributed systems outside the mainframe environment A lack of such 
an entitywide program impairs each group's ability to develop a security structure for its 
responsible area and makes it difficult for SSA management to monitor agency 
performance in this area. 

In two separate letters to SSA management, the IG and its contractor made 
recommendations to address the weaknesses reported in November 1997. SSA has agreed 
with the m£dority of the recommendations and is developing related corrective action 
plans. 
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IMPROVEMENTS BEQUIRE INDIVTOUAL AGENCY ACTIONS 
AND STRENGTHENED CENTRAL OVERSIGHT 

Substantively improving federal information security will require efforts at both the 
individual agency level and at the govemmentwide level. Agency managers are primarily 
responsible for securing the iirformation resources that support their critical operations. 
However, central oversight also is important to monitor agency performance and address 
crosscutting issues that affect multiple agencies. Over the last 2 years, a number of 
efforts have been initiated, but additional actions are still needed. 

Improved Security Program Management Needed at Individual Agencies 

First, it is important that agency managers implement comprehensive programs for 
identifying and managing their security risks in addition to correcting specific reported 
weaknesses. Over the last 2 years, our reports and IG reports have included scores of 
recommendations to individual agencies, and agencies have either implemented or 
planned actions to address most of the specific weaknesses. However, there has been a 
tendency to react to individual audit findings as they were reported, with little ongoing 
attention to the systemic causes of control weaknesses. 

In short, agencies need to move beyond addressing individual audit findings and 
supplement these efforts with a framework for proactively managing the Information 
security risks associated with their operations. Such a fimnework includes determining 
which risks are significant, assigning responsibility for taking steps to reduce risks, and 
ensuring that these steps are implemented effectively and remain effective over time. 
Without a management fiiamework for carrying out these activities, information security 
risks to critical operations may be poorly understood; responsibilities may be unclear and 
improperly implemented; and policies and controls may be inadequate, ineffective, or 
inconsistently applied. 

Best Practices of Leading Organizations Provide Guidance 

In late 1996, at the Committee's request, we undertook an effort to identify potential 
solutions to this problem, including examples that could supplement existing guidance to 
agencies. To do this, we studied the security management practices of eight nonfederal 
organizations known for their superior security programs. These organizations included 
two financial services corporations, a regional electric utility, a state university, a retailer, 
a state agency, a computer vendor, and an equipment manufacturer. 

We found that these organizations managed their information security risks through a 
cycle of risk management activities, and we identified 16 specific practices that supported 
these risk management principles. These practices are outlined in an executive guide 
titled Information Security Management- Learning Fro m Leading Organizations 
(GAO/AIMD-98-68), which was released by the Committee in May 1998 and endorsed by 
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the CIO CounciL Upon publk:atkm, the gukte was distributed to «U mitlor agency heads, 
CIOs and IGs. 

The guide describes a framework for manatfng information security risks through an 
ongoing < 7 de of activities coordiiuded by e central focal point Such a frameworic can 
help ensuis that existing controls are effective and that new, more advanced control 
teduiiques are prudently and ^ectivdy selected aiKl implemented as they become 
availaMe. The risk marugement cycle and the 16 practices suMKNting cycle ot 
activity are depicted in the following figures. 


Flgurtl: Ths Risk MansgsiiMtil Cydt 
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Figure 2: Sixteen Practices Empioyed by Leatfng Organizations to impiement the Risk 
Management Cycle 
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Centrally Directed Improvement Efforts Have Increased 

In addition to effective security program planning and management at individual agencies, 
govemmentwide leadership, coordination, and oversight are important to 

ensure that federal executives understand the risks to their operations, 

monitor agency performance in mitigating these risks, 

- ensure implementation of needed improvements, and 

- facilitate actions to resolve issues affecting multiple agencies. 

To help achieve this, the Paperwork Reduction Act of 1980 made 0MB responsible for 
developing information security policies and overseeing related agency practices. In 

1996, we reported that OMB's oversight consisted largely of reviewing selected agency 
system-related projects and participating in various federal task forces and working 
groups. While these activities are important, we recommended that 0MB play a more 
active role in overseeing agency performance in the area of information security. 

Since then, OMB's efforts have been supplemented by those of the CIO Council. In late 

1997, the Council, under OMB's leadership, designated information security as one of six 
priority areas and established a Security Committee, an action that we had recommended 
in 1996. The Security Committee, in turn, has established relationships with other federal 
entities involved in security and developed a very preliminary plan. While the plan does 
not yet comprehensively address the various issues affecting federal information security 
or provide a long-range strategy for improvement, it does cover important areas by 
specifying three general objectives; promote awareness and training, identify best 
practices, and address technology and resource issues. During the first half of 1998, the 
committee has sponsored a security awareness seminar for federal agency officials and 
developed plans for improving agency access to incident response services. 

More recently, in May 1998, Presidential Decision Directive (PDD) 63 was issued in 
response to recommendations made by the President's Commission on Critical 
Infrastructure Protection in October 1997.’ PDD 63 established entities within the 
National Security Council, the Department of Commerce, and the Federal Bureau of 
Investigation to address critical infrastructure protection, including federal agency 
information infrastructures. Specifically, the directive states that "the Federal 
Government shall serve as a model to the private sector on how infrastructure assurance 
is best achieved" and that federal department and agency CIOs shall be responsible for 


’ Critical Foundations: Protecting America's Infrastructures. The Report of the President's 
Commission on Critical Infrastructure Protection, October 1997. 
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information assurance. The directive requires each department and agency to develop a 
plan within 180 days from the issuance of the directive in May 1998 for protecting its own 
critical infrastructure, including its cyber-based systems. These plans are then to be 
subject to an expert review process. Other key provisions related to the security of 
federal information systems include 

a review of existing federal, state, and local bodies charged with information 
assurance tasks; 

enhanced collection and analysis of information on the foreign information warfare 
threat to our critical infrastructures; 

establishment of a National Infrastructure Protection Center within the Federal 
Bureau of Investigation to facilitate and coordinate the federal government's 
investigation and response to attacks on its critical infrastructures; 

assessments of U. S. government systems' susceptibility to interception and 
exploitation; and 

incorporation of agency infrastructure assurance functions in agency strategic 
planning and performance measurement frameworks. 

We plan to follow up on the these activities as more specific information becomes 
available. 

A CO MPREHE NS I V E AN D C OORDI NA TED 

GQVERNMENTWIDE STRATEGY NEEDS TO EMERGE 

The CIO Council's efforts and the issuance of PDD 63 indicate that senior federal officials 
are increasingly concerned about information security risks and are acting on these 
concerns. Improvements are needed both at the individual agency level and in central 
oversight, and coordinated actions throughout the federal community will be needed to 
substantively improve federal information security. 

What needs to emerge is a coordinated and comprehensive strategy that incorporates the 
worthwhile efforts already underway and takes advantage of the expanded amount of 
evidence that has become available in recent years, The objectives of such a strategy 
should be to encourage agency improvement efforts and measure their effectiveness 
through an appropriate level of oversight. This will require a more structured approach 
for (1) ensuring that risks are fully understood, (2) promoting use of the most cost- 
effective control techniques, (3) testing and evaluating the effectiveness of agency 
programs, and (4) acting to address identified deficiencies. This approach needs to be 
applied at individual departments and agencies and in a coordinated fashion across 
government. 
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In our report on govenunentwide information security that is being released today, we 
recommended that the Director of 0MB and the Assistant to the President for National 
Security Affairs develop such a strategy. As part of our recommendation, we stated that 
such a strategy should 

ensure that executive agencies are carrying out the responsibilities outlined in laws 
and regulations requiring them to protect the security of their information 
resources; 

- clearly delineate the roles of the various federal organizations with responsibilities 
related to information security; 

- identify and rank the most significant information security issues facing federal 
agencies; 

- promote information security risk awareness among senior agency officials whose 
critical operations rely on automated systems; 

identify and promote proven security tools, techniques, and management best 
practices; 

- ensure the adequacy of information technology workforce skills; 

- ensure that the security of both financial and nonfinancial systems is adequately 
evaluated on a regular basis; 

include long-term goals and objectives, including time frames, priorities, and annual 
. performance goals; and 

provide for periodically evaluating agency performance from a govemmentwide 
perspective and acting to address shortfalls. 

In commenting on a draft of our report, the OMB's Acting Deputy Director for 
Management said that a plan is currently being developed by 0MB and the CIO Council, 
working with the National Security Council. The comments stated that the plan is to 
develop and promote a process by which government agencies can (1) identify and assess 
their existing security posture, (2) implement security best practices, and (3) set in 
motion a process of continued maintenance. The comments also describe plans for a CIO 
Council-sponsored interagency assist team that will review agency security programs. As 
of September 17, a plan had not yet been finalized and, therefore, was not available for 
our review, according to an 0MB official involved in the plan's development We intend 
to review the plan as soon as it is available. 
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YEAR 2000 CRISIS INCREASES SENSE OF 
URGENCY FOR IMPROVED SECURITY 

Although information security, like other types of safeguards and controls, is an ongoing 
concern, it is especially important, now and in the coming 18 months, as we approach 
and deal with the computer problems associated with the Year 2000 computing crisis. 

The Year 2000 crisis presents a number of security problems with which agencies must be 
prepared to contend. 

For example, it is essential that agencies improve the effectiveness of controls over their 
software development and change process as they implement the modifications needed to 
make their systems Year 2000 compliant Many agencies have significant weaknesses in 
this area, and most are under severe time constraints to make needed software changes. 
As a result, there is a danger that already weak controls will be further diminished if 
agencies bypass or truncate them in an effort to speed the software modification process. 
This increases the risk that erroneous or malicious code will be implemented or that 
systems that do not adequately support agency needs will be rushed into use. 

Also, agencies should strive to improve their abilities to detect and respond to anomalies 
in system operations that may indicate unauthorized intrusions, sabotage, misuse, or 
damage that could affect critical operations and assets. As illustrated by VA and SSA, 
many agencies are not taking full advantage of the system and network monitoring tools 
that they already have and many have not developed reliable procedures for responding 
to problems once they are identified. Without such incident detection and response 
capabilities, agencies may not be able to readily distinguish between malicious attacks 
and system-induced problems, such as those stemming from Year 2000 noncompliance, 
and respond appropriately. 

The Year 2000 crisis is the most dramatic example yet of why we need to protect critical 
computer systems because it illustrates the government’s widespread dependence on 
these systems and the vulnerability to their disruption. However, the threat of disruption 
will not end with the advent of the new millennium. There is a longer-term danger of 
attack from malicious individuals or groups, and it is important that our government 
design long-term solutions to this and other security risl«. 


Mr. Chairman, this concludes our statement We would be happy to respond to any 
questions you or other members of the Committee may have. 


Page 19 


GAO/T-AIMD-98-312 




74 


Statement by 
Harold F. Gracey, Jr. 

Acting Assistant Secretary for Information and Technology 
Department of Veterans Affairs 
Before the 

United States Senate 
Committee on Governmental Affairs 
September 23,1998 

Good morning, Mr. Chairman and members of the Committee. I am pleased to testify 
before you today to discuss computer security issues at the Department of Veterans 
Affairs. 

The Department provides services to veterans and their families. These benefits 
primarily are for veterans in the form of Compensation, Pension and Education programs 
through Regional Offices; in the form of medical care tuid services through medical 
centers, domiciliaries and outpatient clinics; and in the form of graveside and burial 
services for deserving veterans and qualifying family members. VA operates from 
almost 1200 facilities across the nation, employing approximately two hundred nineteen 
thousand employees. There are approximately seventy million persons who are veterans, 
dependents and survivors of deceased veterans who are potentially eligible for VA 
benefits and services. 
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To facilitate these services, VA has extensive computer system networks and electronic 
information. The systems are generally aligned with each major administration within 
VA: the Veteran Benefits Administration, the Veteran Health Administration, and the 
National Cemetery System. Additionally, Departmental administrative systems which 
support all elements of VA are supported through a large centralized service center. 
While much of VA information is contained in what may be considered “legacy” 
systems, all of the information centers are interconnected so that limited critical forms of 
information may be exchanged among various sites and information applications. This 
information is not classified as secret information, but is highly sensitive since it includes 
personal information about a large body of the nation’s population. In addition to 
information about veteran programs, VA has virtually completed implementation of an 
integrated administrative E-mail network which permits seamless exchange of electronic 
mail across the breadth of the Department. 

We have recently experienced several General Accounting Office (GAO) and VA Office 
of Inspector General (OIG) reviews of our information technology security. There are a 
number of findings which identify vulnerabilities and needed improvements at specific 
sites, among specific organizations, and in VA wide security program management. We 
do not dispute the GAO and OIG findings, and have already acted upon most of their 
recommendations. We have contracted for third party reviews of our major centers in the 
past, and despite our concerns with continuing vulnerabilities, we view the recent reports 
as providing us an opportunity to strengthen our information security program with a 
more comprehensive computer security planning and management program. 
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We intend to address each of the recommendations identified by the GAO and VA*s 010 
in their four recent reviews, including VA*s: 

• control and oversight of access to its systems; 

• protection of VA systems from unauthorized access from remote locations or through 
the VA network; 

• performance of regular periodic assessments of risk; and 

• development and implementation of a comprehensive department-wide computer 
security planning and management program. 

As GAO indicates, VA immediately corrected the identified computer control 
wea kn esses and implemented oversight mechanisms to ensure that these problems do not 
re-occur. In September 1998, my office finalized with the full participation of the 
respective Administration Chief Information Officers a detailed Integrated VA Secnrity 
Plan for implementing each of the recommendations. Each VA Administration is 
responsible to complete a specific series of tasks structured to correct deficiencies. Plan 
status and progress will be provided monthly to the OIG. The projected date of 
completion for the tasks in this plan is December 1998. 

We also have prepared a Draft VA Infonaatioa Tcdumlogy Secnrity Prograni Plan 
that addresses department-wide computer security issues, including policies, guidance 
and procedures aiKl responsibilities. This plan addresses the recent reports, as well as 
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other program shortcomings. It is expected to create more explicit guidance to VA 
Administrations with increased oversight'requirements. 

0 

I am CiKnmitted to a strong information technology security program, and I intend to 
ensure security receives adequate attention with an elevated level of scrutiny in VA. 

I appreciate the opportunity to address this important matter and will be pleased to 
answer any questions you may have. 
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Mr. Chairman and Members of the Committee: 

Thank you for inviting me here today to discuss computer security at the Social 
Security Administration (SSA). 

At the outset, Mr. Chairman, it is our highest priority to maintain the confidentiality 
of the information in SSA's systems. Nothing is more important in the operation of 
our programs than ensuring that the public has confidence that the information 
placed in our trust is secure. This basic philosophy is a cornerstone of everything 
we do. In fact, the very first regulation issued by the new Social Security 
Administration in 1935 dealt with the nondisclosure of SSA record data. 

SSA pays benefits each month to almost 50 million beneficiaries. In FY 1998 
alone, SSA delivered $400 billion in benefits. In order to achieve our mission, 
many of Social Security's 66,000 employees must have access, on a need to know 
basis, to computer records. This creates an inherent tension between the need to 
deliver accurate benefits on time to the right person and the need to have the 
tightest security possible. When the agency learns that an employee has abused his 
or her systems privileges, steps are immediately taken to impose penalties, as 
severe as termination, on the individual. 

When Social Security first became independent in 1995, and had its own Inspector 
General (IG) for the first time devoted only to SSA's activities, the Commissioner 
asked the IG to make employee integrity the number one issue and the IG has done 
so. SSA has consistently asked for additional resources for the IG and received 
support from Congress for those requests. 

We have taken both preventive and enforcement actions to protect information in 
Social Security files from any wrongful use by our own employees and from any 
unauthorized access by outsiders. It is important to emphasize that SSA's 
mainframe computers have never been successfully penetrated by outside parties. 
This is not to say that we are resting on our laurels. We constantly reevaluate and, 
when necessary, upgrade the security features necessary to maintain the public's 
confidence that our systems are secure. 

Maintaining SSA Systems Security 

In order to meet the challenges of data security in today's highly technological 
environment, the Agency has adopted an enterprise-wide approach to systems 
security, financial information, data integrity, and prevention of fraud, waste, and 
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abuse. We have full-time staff devoted to systems security stationed throughout 
the Agency, in all regions and in central office. They provide day to day oversight 
and control over our computer software. In addition, we have a Deputy 
Commissioner-level Office of Systems which supports the operating system, 
develops new software and the related controls and in general assures that SSA is 
taking advantage of the latest in effective systems technology. 

SSA has a Chief Financial Officer, also at the Deputy Commissioner-level, who 
assures that all new systems have the required financial controls to maintain sound 
stewardship over the monies entrusted to our care. In addition, as the Principal 
Deputy Commissioner, I also serve as the agency’s Chief Information Officer; this 
dual role gives me the oversight of the agency as a whole to assure that our 
initiatives are enterprise wide in scope. 

As I have mentioned, as an independent agency, we have our own IG who can 
focus his efforts on the agency’s needs (and concerns. The IG is also very active in 
working with other Federal, State and local law enforcement agencies to assure all 
avenues for investigation and prosecution are being pursued-especially for systems 
security-related issues. 

Modem computer security requires the implementation of sophisticated software 
and control of access to the system. SSA uses state of the art software that 
carefully restricts any user access to data except for its intended use. Using this 
software, only persons with a "need to know" in order to perform a particular job 
function are approved and granted access. Our systems controls not only register 
and record access, but also determine what functions a person can do once access is 
authorized. SSA security personnel assign a computer-generated personal 
identification number and an initial password to persons who are approved for 
access (the person must change the password every 30 days). This allows SSA to 
audit and monitor the actions individual employees take when using the system. 
These same systems provide a means to investigate allegations of misuse and have 
been crucial in prosecuting employees who misuse their authority. 

In summary, we have in place the right authorities, the right personnel, and the 
right software controls to prevent penetration of our systems and to address systems 
security issues as they surface. 
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Audit of SSA's Systems Controls 

SSA, as an agency, has been preparing audited financial statements since FY 1987. 
Fiscal year 1997 represented the fourth consecutive year that SSA’s financial 
statements have received an unqualified, or clean, audit opinion from SSA's IG or 
its contractor. The auditors stated, "In our opinion management's assertion that 
SSA's systems of accounting and internal controls are in compliance with the 
internal control objectives in 0MB Bulletin NO. 93-06 is fairly stated, in all 
material respects". SSA received an unqualified opinion from the auditors that our 
systems of internal controls meet the standards set up by the Office of Management 
and Budget (0MB). Our financial statements are prepared consistent with the 
requirements of the Federal Accounting Standards Advisory Board, 0MB, the 
Chief Financial Officers’ Act, and other relevant Federal statutes. 

PricewaterhouseCoopers (PwC) conducted the FY 1997 audit under contract with 
the General Accounting Office (GAO) and our IG. As part of the audit, PwC 
provided SSA with two management letters that gave recommendations as to how 
SSA could improve its systems safeguards and financial management controls. 

Over the past few months, SSA and PwC have been working closely to reach final 
agreement on how to achieve the objectives of the PwC recommendations. (We 
have provided this committee with SSA's FY 1997 financial statement-part of the 
latest Accountability Report-as well as two Management Letters given to SSA by 
PwC.) 

SSA's Response to the Audit 

The Social Security Administration and our auditor, PwC, are in agreement on 
almost all recommendations. SSA takes these issues seriously and has embarked 
on an aggressive timetable of corrective action. Some of the auditor's 
recommendations take longer to achieve but I believe that the auditor would say 
that we are proceeding expeditiously. SSA and PwC have come to closure on 
virtually all of the recommendations contained in the PwC reports. PwC is now 
reviewing our progress in making the called for changes and will report on them as 
part of the audit of SSA’s financial statements for fiscal year 1998, this fall. 

SSA has developed a workplan to implement these agreed-upon improvements. 
There are a couple of areas where we are still exploring solutions and expect to 
close them out as part of the FY 1998 audit process. 
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I would like now to address some of the major changes we are making in the four 
primary areas that PwC identified as follows: 

1) SSA needs improved controls to protect its information; 

2) SSA needs to improve and fully test its plan for maintaining continuity of 
operations; 

3) SSA needs to improve its software application development and change 
control policies and procedures; and 

4) SSA needs to improve controls over insufficient separation of duties. 

Finding 1, Protection of Information : The auditors made 43 recommendations on 
how the Agency could better protect its data in both a mainframe and distributive 
environment. We agreed with 41 of these recommendations and have closed or 
completed 30 to date. Some of the actions taken include limiting the use of 
modems, implementing a process to identify unauthorized modems on a continuing 
basis, removing access immediately for unauthorized modems when discovered; 
and strengthening access controls over programmers and other system’s personnel. 
New password guidelines were implemented which require the use of more 
characters and we are making enhancements to our single sign-on architecture. 

The auditors recently told us that they noted improvements in this area in this 
year’s audit, particularly in the mainframe environments, but believed we needed 
to give more attention to the distributive environment. We will continue working 
with the auditors to further improve this area. 

Finding 2, continuity of operations : There were five recommendations in this area, 
focused primarily on an updated contingency plan covering both data center 
activities and activities performed by end users, covering critical operations should 
interruptions occur, and testing combinations of multiple critical workloads 
simultaneously. We agreed with all five recommendations. 

SSA is committed to testing all critical workloads within a 3-year cycle and has 
expanded our test capability from 64 hours to 120 hours in 1999. We are taking a 
fresh look at identifying our critical work loads and how we will maintain 
continuity of operations in the event of the loss of our computer center in both a 
short and long-term scenario. 
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Finding 3, software development : In this area'the auditors felt that control and 
security measures for application systems changes could be improved. We have 
closed or completed 17 of the 35 recommendations to date and are actively 
working on the others. New and revised procedures were developed to ensure that 
requested changes to systems were properly approved, coded, tested, documented, 
and authorized for production. We now have appropriate policies and procedures in 
place to document system change control practices and are committed to ensuring 
100 percent compliance with policy. 

Finding 4, separation of duties : There were three areas where the auditors felt we 
had inadequate separation of duties: field offices, systems-operations, and security 
administration. We generally agreed that we could improve in the areas of systems 
operations and security administration and have addressed 18 recommendations so 
far. We disagreed with five recommendations pertaining to field offices because of 
the high cost of implementing these recommendations and asked the auditors to 
reconsider and develop alternative approaches. The auditors have reconsidered 
these recommendations and are in the process of developing revised 
recommendations which will emphasize the use of performance measurement data 
to identify high-risk transactions for analysis and, when warranted, additional 
preventive controls. These new recommendations are much less labor intensive 
and appear to be achievable. We will continue to work with the auditors to 
improve this area. 

I want to come back to the broader concerns. Addressing systems security is and 
always will be first of all a high priority for SSA. By design, the Agency has used 
a system architecture that relied almost exclusively on mainframe systems and 
centralized databases. With this architecture we are able to more tightly control 
computer security than those Agencies who are faced with large numbers of local 
and/or distributed systems. 

As SSA, in the increasingly technological environment, moves away from the 
mainframe environment to more distributed systems, we need to carefully consider 
at every step of the process how to build in security features. We have already 
taken a number of steps to ensure that these new systems will be as secure as 
possible. 

We have supported and will continue to support the independent audit of our 
financial statements. We have supported the auditors detailed testing of SSA’s 
systems. We will work with the various oversight bodies-the General Accounting 
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Office and the IG, for example, to review what we are doing and identify any 
issues they believe we need to address. Only in this way can we be assured SSA is 
getting all the advice that is available to us, and doing its utmost to maintain the 
security of our computer systems, and the data they contain. 

Zero Tolerance for Fraud 

Finally, I also want to state that we have a zero tolerance at SSA for fraud, waste, 
and abuse. We believe that our zero tolerance policy has paid off, as evidenced by 
the fact that almost all of the recommendations made to the Agency by independent 
auditors in recent years have been of a theoretical nature, e.g. ’ our systems have a 
weakness that needs to be addressed to assure there is no abuse. Nonetheless, when 
we have evidence of an abuse of system privileges, addressing the matter is a 
number one priority of the Agency. 


On June 22, 1998, Commissioner Apfel issued a notice to all SSA employees about 
administrative sanctions to be taken against any SSA employee who abuses his or 
her systems privileges. The penalties are severe and will lead to termination of 
employment for any offense that involves selling data. 

SSA's IG is committed to the investigation and prosecution of every employee 
abuse case that is identified. Many of the SSA employee cases turned over to the • 
Inspector General for investigation were first discovered by the Social Security 
Administration itself In addition, we have asked the IG to make investigation of 
employee fraud the number one priority. 

Conclusion 

As I noted at the outset the Social Security Administration has a long-standing 
tradition of assuring the public that their personal records are secure. Systems 
security is not a one-time task to be accomplished, but rather is an ongoing mission 
we can never lose sight of We know we cannot rest on past practice, but must be 
vigilant in every way we can to assure that these personal records remain secure, 
and that public confidence in SSA is maintained. 

I want to thank the Committee for holding this hearing and focusing on what we all 
view as a critical issue. We are glad to know that the Congress shares our 
concerns, and we will work with the Committee to assure the American people that 
we are doing all we can to maintain the security of our computer operations. 

This concludes my prepared statement. I will be happy to answer any questions 
you may have. 
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September 23,1998 

The Honorable Togo D. West, Jr. 

The Secretary of Veterans ACbJrs 

I>ear Mr. Secretary: 

This report discusses weaknesses that we identified during our 
assessment of general computer controls that support Key fiiumcial 
management and benefit delivery operations of the Department of 
Veterans Affairs (va). General computer controls affect the overall 
effectiveness and security of computer operations as opposed to being 
unique to any specific computer application. They include security 
management, operating procedures, software security features, and 
physical protection designed to ensure that access to data is appropriately 
reacted, only authorized changes are made to computer programs, 
computer security duties are segregated, and backup and recovery plans 
are adequate to ensure the continuity of essential operations. Such 
controls are critical to va’s ability to safeguard assets, maintain the 
confidentiality of seirsitive financial data and iifformation on veteran 
medical records and benefit payments, and ensure the reliability of 
financial management informatioa 

Our review of va’s general computer controls was performed in 
connection with the department’s financial audit conducted under the 
Chief Financial Officers Act of 1990, as expanded by the Government 
Management Reform Act of 1994. The results of our evaluation of general 
computer controls were shared with va’s Office of Inspector General (oio) 
for its use in auditiirg va’s consolidated financial statements for fiscal year 
1997. 

This report does not detail certain serious weaknesses in controls over 
access to va computer resources. A separate report on those matters, with 
limited distribution due to its sensitive nature, is being issued today. 


Results in Brief 


General computer control weaknesses place critical va operations, such as 
fiiumcial mairagement, health care delivery, benefit payments, life 
insurance services, and home mortgage loan guarantees, and the assets 
associated with these operations, at risk of misuse and disruption. In 
addition, sensitive information contained in va’s systems, including 
financial transaction data and personal information on veteran medical 
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records and benefit pajments, is vulnerable to Inadvertent or deliberate 
misuse, fiaudulent use, improper disclosure, or destruction, possibly 
occurring without detection. The general control weaknesses we identified 
could also diminish the reliability of the department’s financial statements 
and other managemoit information derived from va’s systems. 

We found significant problems related to the department’s control and 
oversight of access to its systems, va did not adequately limit the access of 
authorized users or effectively nranage user identifications (id) and 
passwords. The department also h id not established effective controls to 
prevent individuals, both internal md external, from gaming unauthorized 
access to va systems, va’s access control weaknesses were ftuther 
compounded by ineffective proced’jres for overseeing and monitoring 
systems for unusual or suspicious iccess activities. 

In addition, the department was not providing adequate physical security 
for its computer facilities, assigning duties in such a way as to segregate 
incompatible functions, controlling changes to powerful operating system 
software, or updating and testing disaster recovery plans to prepare its 
computer operations to maintain or regain critical ftmctions in emergency 
situations. Many of these access and other general computer control 
weaknesses are similar to weaknesses that have been previously identified 
by va’s oiG and consultant evaluations. Also, the oig reported infoimation 
system security controls as a material wealmess in its report on va’s 
consolidated fliumcial statements for fiscal year 1997. 

A primary reason for va’s continuing general computer control problems is 
thjd the department does not have a comprehensive computer securi^ 
plarming and management program. An effective program would include 
guidance and procediures for assessing risks, establishing appropriate 
policies and related controls, raising awareness of prevailing risks and 
mitigating controls, and monitoring and evaluating the effectiveness of 
established controls. Such a program, if implemented completely across 
the department, would provide va with a solid foundation for resolving 
existing computer security problems and managing its information 
security risks on an cmgoing basis. 

’The VA facilities that we visited plan to address all of the specific computer 
control weaknesses identified. In fact, the director of the Austin 
Automation Center t(^d us that his staff had corrected many of the geiteral 
computer control weaknesses that we identified. ’The director of the Dallas 
Medical Center and the Veterans Benefits Administration Chief 
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Information Officer (ao) also said that specific actions had been taken to 
correct the computer control weaknesses that we identified at the Dallas 
Medical Center and the Hines and Philadelphia benefits delivery centers. 
F\uthermore, the Deputy Assistant Secretary for Information Resources 
Management told us that va plans to develop a comprehensive security 
plan and management program. 


Background 


VA provides health care and other benefits to veterarrs in recognition of 
their service to our country. As of July 1,1997, 26 percent of the tuition’s 
population—approximately 70 million persons who are veterans, veterans’ 
dependents, or survivors of deceased veterans—was potentially eligible 
for VA benefits and services, such as health care deliveiy, benefit 
payments, life insurance protection, and home mortgage loan guarantees. 

VA operates the largest health care delivery system in the United States and 
guarantees loans on about 20 percent of the homes in the country. In fiscal 
year 1997, va spent more than $17 billion on medical care and processed 
more than 40 million benefit payments totaling more than $20 billion. The 
department also provided life insurance protection through more than 
2.5 million policies that represented about $24 billion in coverage at the 
end of fiscal year 1997. 

In providing these benefits and services, va collects and maintains 
sensitive medical record and benefit payment information for millions of 
veterans and their dependents and survivors, va also maintains medical 
information for both inpatient and outpatient care. For example, the 
department records admission, diagnosis, surgical procedure, and 
discharge information for each stay in a va hospital, nursing home, or 
domiciliary, va also stores information concerning health care provided to 
and compensation received by ex-prisoners of war. In addition, va 
maintains information concerning each of the guaranteed or insured loans 
closed by va since 1944, including about 3.5 million active loans. 

va relies on a vast array of computer systems and telecommunication 
networks to support its operations and store the sensitive information it 
collects in carrying out its mission. Three centralized data 
centers—locat^ in Austin, Texas; Hines, Illinois; and Philadelphia, 
Pennsylvarda—-maintain the department’s financial rrumagement systems; 
process compervsation, pension, and other veteran benefit payments; and 
manage the veteran life insurance programs. In addition to the three 
centraliziHl data centers, the Veterans Health Admmistration (vha) 
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operates 172 hospitals at locations across the country that operate local 
fliuutcial maruijeinent and medical support systems on their own 
computer systems. 

The Austin Automation Center maintains va's departmentwide systems, 
including centralized accounting, payroll, vendor payment, debt collection, 
benefits delivery, and medical systems. In fiscal year 1997, va’s payroll was 
almost $11 billion and the centralized accounting system generated more 
than 17 billion in additional payments. The Austin Automation Center also 
provides, for a fee, information technology services to other government 
agencies. The center currently processes a workers compensation 
computer application for other federal agencies and plans to expand the 
computing services it provides to federal agencies. 

The other two centralized data centers support va’s Veterans Benefits 
Administration (’/ba) programs. The Hines Benefits Delivery Center 
processes information from va systems that support the compensation, 
pension, and education applications for vba’s 58 regional offices The 
Philadelphia Benefits DeUvety Center is primarily responsible for 
supporting va's life insurance program. 

In addition, vha hospitals operate local financial management and medical 
support systems on their own computer systems. The medical support 
systems manage information on veteran inpatient and outpatient c.ve, as 
well as admission and discharge information, while the main medical 
fii\ancial system—the Integrated Funds Distribution, Control Point 
Activity, Accounting and Procurement (ipcap) system—controls most of 
the $17 billion in funds that va spent on medical care in fiscal year 1997. 

The IFTAP system also transmits financial and inventory infomtation daily 
to the Fmancial Management System in Austin. 

The three va data centers, as well as the 172 vha hospitals, vba regional 
offices, and the va headquarters office, are all interconnected through a 
wide area network. Ail together, va’s network serves more than 40,000 
on-line users. 


nhippHvP Sr*nnp flnrl Our objective was to evaluate and test the effectiveness of general 

UDjeCuVe, OLOpe, dllU computer controls over the financial systems maintained and operated by 

Methodology va at its Austin, Hines, and Philadelphia data centers as v/ell as selected va 

medical centers. General computer controls, however, also affect the 
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security and reliability of nonfinancial information, such as veteran 
medical, loan, and bunirance data, maintained at these processing centers. 

At the Austin Automation Center and va medical centers in Dallas and 
Albuquerque, we evaluated controls intended to 

• protect data and application programs from unauthorized access; 

• prevent the introduction of unauthorized changes to application and 
system software; 

• provide st'gregation of duties involving application programming, system 
programming, computer operations, security, and quality assurance; 

• erasure recovery of computer processing operations in case of a disaster or 
other unexpected interruption; and 

• ensure that an adequate computer security plaiming and management 
program is in place. 

The scope of our work at the Hines and Philadelphia benefits delivery 
centers was lirrtited to (1) evaluating the appropriateness of access granted 
to selected individuals and computer resources, (2) assessing efforts to 
morutor access activities, and (3) examirfing the computer security 
administration structure. We restricted our evaluation at the Hines and 
Philadelphia benefits delivery centers because va’s oig was plaiming to 
perform a review of other general computer controls at these sites during 
fiscal year 1997. 

To evaluate computer controls, we identified and reviewed va’s 
irfformation system general control policies and procedures. Through this 
review and discussions v/ith va staff, including programming, operations, 
and security personnel, we determined how the general computer controls 
were intended to work and the extent to which center personnel 
considered them to be in place. We also reviewed the installation and 
implementation of va’s operating system and security software. 

Further, we tested and observed the operation of general computer 
controls over va’s information systems to determine whether they were in 
place, adequately designed, and operating effectively. To assist in our 
evaluation and testing of general computer controls, we contracted with 
Elmst & Young LLP. We determined the scope of our contractor's audit 
work, monitored its progress, and reviewed the related work papers to 
ensure that the resulting findings were adequately supported. 
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We performed our work at the va data centers in Austin, Hines, and 
Philadelphia; the va medical centers in Dallas and Albuquerque; and va 
headquarters in Washington, D.C., from October 1997 throu^ 

January 1998. Our work was performed in accordance with generally 
accepted government auditing standards. 

VA provided us with written comments on a draft of this report, which are 
discussed in (he “Agency Comments" section and reprinted in appendix I. 


A basic management objective for any organization is to protect data 
supporting its critical operations from unauthorized access, which could 
lead to improper modification, disclosure, or deletion. Our review of va's 
general computer controls found that the department was not adequately 
protecting financial and sensitive veteran medical and benefit information. 
Specifically, va did not adequately limit tlie access granted to authorized va 
users, properly manage user ids and passwords, or routinely monitor 
access activity. As a result, va’s computer systems, programs, and data are 
at risk of inadvertent or deliberate misuse, fraudulent use, and 
unauthorized alteration or destruction occurring without detection. 

We also found that va had not adequately protected its systems from 
unauthorized access from remote locations or through the va network. The 
risks created by these security issues are serious because in va’s 
interconnected enviroiunent, the failure to control access to any system 
connected to the network also exposes other systems and applications on 
the network. Due to the sensitive nature of the remote access and network 
control weaknesses we identified, these issues are described in a separate 
report with limited distribution issued to you today. 


Access to Data and 
Programs Is Not 
Adequately Controlled 


Access Authority Is Not A key weakness in va’s internal controls was that the department was not 

Appropriately Limited for adequately limiting the access of va employees. Organizations can protect 
Autliorized VA Users information from unauthorized changes or disclosures by granting 

employees authority to read or modify only those programs and data that 
are necessaiy to perform their duties. 

VA, however, allowed thousands of users to have broad authority to access 
financial and seirsitive veteran medical and benefit information. At Austin, 
for example, the security software was implemented in a maimer that 
provided all of the more than 13,000 users with the ability to access and 
change sensitive data files, read system audit information, and execute 
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powerflil system utilities. Such broad access authority increased the risk 
that users could circumvent the security software, and presented users 
with an opportunity to alter or delete any computer data or program. The 
director of the Austin Automation Center told us that his staff had 
restricted access to the sensitive data files, system audit information, and 
powerfiil system utilities that we identified. 

In addition, we found several other examples where va did not adequately 
restrict the access of legitimate users, including the following. 

• At both the Hines wd Philadelphia centers, we found that system 
programmers had access to both system software and financial data This 
access could allow the programmers to make changes to financial 
irtformation without being detected. 

• At the Hines center, we also identified 18 users in computer operations 
who could update sensitive computer libraries. Update access to these 
libraries could result in the security software being circumvented with the 
use of certain programs to alter or delete sensitive data 

• At the Dallas center, we determined that 12 computer support persormel 
had access to all fiiumcial and payroll programs and data Although these 
support staff need access to certain programs, providing complete access 
weakens the organization’s ability to ensure that only authorii^ changes 
are allowed. 

• At the Austin center, we found more than 100 users who had an access 
privilege that provided the ability to bypass security controls and enabled 
them to use any cotiunand or transaction. Access to this privilege should 
be limited to use in emergencies or for special purposes because it creates 
a potential security exposure. 

The director of the Austin Automation Center told us that the privilege 
that provided users the opportunity to bypass security controls had been 
removed from all individual user ms. Ihe vba ao also said that a task force 
established to address control weaknesses had evaluated the 
irrappropriate access that we identified at the Hines and Philadelphia 
benefits delivery centers and made recommendations for corrective 
measures. 

We also found that va was not promptly removing access authority for 
terminated or tzarvsfeired employees or deleting unused or urmeeded ids. 

• At the Dallas and Albuquerque centers, we found that ids belonging to 
terminated and transferred employees were not being disabled. We 


Pafe? 


GAtVADID^lTS VA CoaiMUr Coatrol We«ka«MM 



93 




klentifled over 90 active IDS bek)nging to tennilutfcd or tnutfferred 
employees at Dallas and 60 at Albuquerque. If user ids are not promptly 
disabled when employees are termiiuted, former employees are allowed 
the ofqpoitunity to sabotage or otlterwlse impair va operations. 

• At the Dallas center, we kkntifled more than 800 IDS that had iH)t been 
used for at least 90 days. We also identified inactive ids at the Austiir, 
Hines, and Albuquerque centers. For instance, at the Hines center, we 
found IDS that had been iiwctive for as long as 7 years. Allowing this 
situation to persist poses uimeceasaty risk that imneeded ids will be 
compromise to gain uirauthorized access to va coiT>puter systems. 

In January 1998, the director of the Dallas Medical Center said that a 
program had been implemented to disable all user ids for terminated 
employees and those ids noi used in the last 90 days. In addition, the 
director of the Austin Automation Center aiKl the vba CIO told us that ids 
would be automatically suspended 30 days after the password expired at 
the Austin, Hines, aiKl Philadelphia centers. 

One reason that va’s user access problems existed was because user 
access authority was rK)t being reviewed periodically. Such periodic 
reviews would have allowed va to identify and correct inapprc^riate 
access. 


The directors of the Austin Automation Center and the Dallas Medical 
Center told us that they plarmed to periodically review system access. The 
VBA CIO also said that the Hines and Philadelphia benefits deliveiy coiters 
will begin routinely reviewing user ids and deleting individuals 
accordingly. 


User ID and Password 
Management Controls Are 
Not Effective 


In addition to overseeing user access authority. It is also important to 
actively manage user ms and passwords to ensure that users can be 
Identified and authenticated. To accomplish this ottlecttve, organizations 
should estabUah controls to maintain individual accountability and protect 
the cordidentiaiity of passwords. These controls should include 
requirements to ensure that ids uniquely identify users; passwords are 
changed periodicaliy, contain a qpe^ed numb^ of characters, and are 
not common words; default EDS and passwords are changed to prevent 
their use; and the number of invalid password attempts is limited. 
Organizations should also evaluate the effectiveness of these controls 
periodically to ensure that they are operating effectively. User ids and 
passwmds at the sties we visited were not being effecthvly managed to 
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ensure individual accountability and reduce the risk of unauthorized 
access. 


VA had Issued an updated security policy in January 1997 that addressed 
local area network user lo and password management Speciflcally, this 
policy required users to have separate los; passwords to be changed 
periodically, be at least six chariu;ters in length, and be formed with other 
than common words; and tos to be suqrended alter three invalid password 
attempts. Despite these requirements, we identified a pattern of network 
control weaknesses because va did not periodically review local area 
network user ids and passwords for compliance with this policy. 

" At the Albuquerque center, we identified 119 network ids that were 
allowed to circumvent password change controls, 16 ids that did not have 
any passwords, and eight ids that had passwords with less than six 
characters. 

• At the Philadelphia center, we found that approximately half of the 
network user ids, including the standard network administrator id, were 
vulnerable to abuse because passwords were common words that could 
be easily guessed or found in a dictionary. 

• At the Austin and Dallas centers, we found that network passwords were 
set to never expire. Not requiring passwords to be changed iiKreases the 
risk that they will be uncovered, which could lead to unauthorized access. 

In February 1998, the vba ao told us that the Hines and Philadelphia 
benefits delivery centers plan to require that passwords not be common 
words. Additionally, the directors of both the Austin Automation Center 
and the Dallas Medical Center said that although their stafib did not 
control wide area network password management controls, they were 
working with va technical staff to improve network password management 
by requiring passwords to be changed periodically. 

In addition, va’s user id sikI password maiuigement policy only applied to 
local area networks, va did not have departmentwide policies governing 
user IDS aiKl passwords for other computer platforms, such as mainfirame 
computers or the wide area network. Although some organizations within 
VA had procedures in these areas, we identified a number of user id and 
password management problems. 

• At the Philadelphia center, we found that the security software was 
implemented in a matmer that did not disable the master security 
administration id after a specified number of invalid password attempts. 
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Allowing unlimited password attempts to this ID, which has the highest 
level security authority, increases the risk of unauthorized access to or 
disclosure of sensitive information. 

• At the Austin center, we determined that more than 100 mainframe ids that 
did not require passwords, many of which had broad access authority, 
were not properly defined to prevent individuals fiem using them. 
Although system ids without passwords are required to perform certain 
operational tasks, these ids should not be available to individual users 
b^ause ids that do not require password validation are more susceptible 
to misuse. Twenty of these ids were especially vulnerable to abuse 
because the account identifiers were common words, software product 
ruunes, or derivations of words or products that could be easily guessed. 

• At the Dallas and Albuquerque centers, we discovered that an ID 
established by a vendor to handle various support functions had remained 
active even though the vendor had recommended that this id be suspended 
when not in use. 

The director of the Austin Automation Center told us that his staff had 
deleted nearly 50 of the mainfiame ids that did not require passwords and 
reduced the access authority for many of the remaining ids that did not 
require passwords. In addition, the chief of the Information Resources 
Management Service at the Dallas Medical Center agreed to take steps to 
address the system maintertance id problem we identified. 

We also found numerous instances where user ids and passwords were 
being shared by staff. For example, as many as 16 users at the 
Albuquerque Medical Center and an undetermined number at the Dallas 
Medical Center were sharing ids with privileges to all financial data and 
system software. At Austin, more than 10 ids with high-level security 
access were being shared by several staff members. The use of shared ids 
and passwords increases the risk of a password being compromised and 
undermines the effectiveness of monitoring because individual 
accountability is lost 

The director of the Austin Automation Center told us that shared ids had 
been eliminated and replaced with individually assigned user ids. In 
addition, the chief of the Information Resources Management Service at 
the Dallas Medical Center agreed to take steps to address the shared id 
problem we identified. 


Access Activities Are Not 
Being Monitored 


The risks created by these access control problems were also heightened 
significantly because the sites we visited were not adequately monitoring 
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system and user access activity. Routinely monitoring tlie access activities 
of employees, especially those who have the ability to alter sensitive 
programs and data, can help identiiy significant problems and deter 
employees fh>m Inappropriate and uitauthorized activities. Without these 
controls, va had little assurance that unauthorized attempts to access 
sensitive information would be detected. 

Because of the volume of seciuity information that must be reviewed, the 
most effective monitoring efforts are those that target specific actions. 
'n\ese monitorirtg efforts should include provisions to review 

• unsuccessfiil attempts to gain entry to a system or access sensitive 
information, 

• deviations from access trends, 

• successfiil attempts to access sensitive data and resources, 

• highly-sertsitive privileged access, and 

• access modifications made by security personnel. 

For vA, such an approach could be accomplished using a combination of 
the audit trail cap^ilities of its security software and developing 
computerized reports. This approach would require each facility to 
compile a list of sensitive system files, programs, and software so that 
access to these resources could be targeted. Access reports couldlhen be 
developed for security staff to identify unusual or suspicious activities. For 
instance, the reports could provide information on browsing trends or 
summarizations based on selected criteria that would target specific 
activities, such as repeated attempts to access certain pay tables or 
seivsitive medical and benefit information. 

Despite the thousands of employees who had legitimate access to va 
computer systems contaiidng financial and operational data, va did not 
have any departmentwide guidance for monitoring successful and 
unsuccessful attempts to access system files containing key financial 
information or sensitive veteran data. As a result, va’s monitoring efforts 
were not effective for detecting unauthorized access to or modification of 
sensitive information. 

Hie security staffs at the Philadelphia, Hines, Dallas, and Albuquerque 
centers were not actively monitoring access activities. At the FlUladelphia 
center, available violation reports were not being reviewed, while at the 
Hines center, it was unclear who had specific responsibility for monitoring 
access. As a result, iK> monitoring was being performed at either the Hines 
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or nuiAdelphia cesiters. In addition, neither the Dallas nor Albuquerque 
centers had programs to actively monitor access activities. 

Also, violation reports at the Austin Automation Center did not target most 
types of unusual or suspicious system activity, such as repeated attempts 
to access sensitive files or libraries or attempts to access certain accounts 
or pay tables. In addition, the Austin Automation Center had not 
developed any browsing trends or instituted a program to monitor staff 
access, particularly access by staff who had significant access authority to 
critical Ues, programs, and software. 

The director of the Austin Automation Center told us that he plans to 
establish a new security staff that will be responsible for establishing a 
targeted monitoring program to identity access violations, ensure that the 
most critical resources are properly audited, and periodically review 
highly privileged users, such as system programmers and security 
administrators. Also, the director of the Dallas Medical Center told us that 
his staff plan to periodically review user access. In addition, the chief of 
the Information Resources Management Service told us during follow-up 
discussions that the Dallas Medical Center will establish a targeted 
monitoring program to review access activities. 

Flirthermore, none of the five sites we visited were monitoring network 
access activity. Althou^ logging events on the network is the primary 
means of identitying uiuuithorized users or unauthorized usage of the 
system by authorized users, two of the sites we reviewed were not loggir\g 
network security events. Unauthorized network access activity would also 
go undetected at the sites that were logging network activity because the 
network seciuity logs were not reviewed. 

The director of the Austin Automation Center told us that his staff planned 
to begin a proactive security monitoring program that would include 
identityiirg and investigating unauthorized attempts to gain access to 
Austin Automation Center computer systems and improper access to 
sensitive information on these systems, llie director of the Dallas Medical 
Center also told us that his staff plaimed to implement an appropriate 
network monitoring program. 


Other General 
Controls Are Not 
Sufficient 


In addition to these general access controls, there are other important 
controls that organizations should have in place to ensure the integrity and 
reliability of data. These general computer controls include policies, 
procedures, and control techniques to physically protect computer 


Pate IS 


aWVAIMD-M-lTS VA CeapaUr Coatrol WcalncMea 




Physical Security Controls 
Are Not Effective 


resources and restrict access to sensitive information, provide appropriate 
segregation of dxities among computer personnel, prevent unautlmrized 
changes to operating system software, aiul ensure the continuation of 
computer processing operations in case of an unexpected intemqrtioit 
Although we did notre^ew these general controls at the Hines arid 
Philadelphia centers, we fouiKl wealcnesses in these areas at the 
Albuquercpie, Dallas, and Austin centers. 


Important general controls for protecting access to data are the physical 
secruity control measures, such as locks, guards, fences, and surveillance 
equipment that an oi^ardzation has in place. At va, such controls are 
critical to safeguarding critical firumdal and sensitive veteran information 
and computer operatioirs from internal and external threats. We fo<ind 
weaknesses in physical security at each of the three faculties where these 
contnUs were reviewed. 

None of the three facilities that we visited adequately controUed access to 
the computer room. Excessive access to the computer rooms at these 
facilities was allowed because iHMre of the sites had estabUshed poUdes 
and procedures for periodically reviewing access to the computer room to 
detehnine if it was stiU required. In addition, the Albuquerque Medical 
Center was not documenting access to the computer room by individuals 
who required escort, such as visitors, contractors, and maintenance staff. 

At the Austin Automation Centtf, for iivrtance, we found that more than 
500 per^le had access to the computer room, iiKlucUng more than 170 
contractors. The directm* of the Austin Automation Center told us that 
since our review, access to the computer room had been reduced to 250 
individuals aiKl that new prUides and procedures would be established to 
Airther scrutinize the number of staff who had access to the computer 
room. 

In addition, both the Dallas aiKl Albuquerque medical centers gave 
personnel from the information resource managonent group unnecessary 
accesstotheconqruterroom. At the Albuquerque Medical Center, 18 
employees from tte irtfocmation resource management group had access 
to the computer room, while at the Dallas Medical Center, all irtfocmation 
resource managdnent staff were aUowed access. At both medical centers, 
this access induded personal computer maintenance staff and certain 
administrative employees who should not require access to the computer 
rooin. While it is appropriate for iiffonnation resource rnariagetnent staff 
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to have acceas to the computer room, care should be taken to limit access 
to only those employees who have a reasonable need. 

Our review also identilled other physical security control weaknesses. For 
example, windows in the Dallas M^cal Center computer room were not 
alarm^ to detect potential intruders and sensitive c^ling in this 
computer room was not protected to prevent disruptions to computer 
operations. In addition, chemicals that posed a potential hazard to 
employees and computer operations were stor^ inside the computer 
room in Austiit FXuthermore, a telecommunication panel in the Austin 
Automation Center computer room was also not protected, increasing the 
risk that network conunuiUcations could be iiudvertently disrupted. 

The director of the Austin Automation Center told us that his staff had 
removed chemicals from the computer room and protected the 
telecommunications panel. In addition, the director of the Dallas Medical 
Center told us that his staff plan to address the physical security problems 
when the computer room is moved to a new facility. 


Computer Duties Are Not 
Properly Segregated 


Another fundamental technique for safeguarding progranns and data is to 
segregate the duties and responsibilities of computer personnel to reduce 
the risk that errors or fraud will occur and go undetected. Duties that 
should be separated include application and system programming, quality 
assurance, computer operations, and data security. 


At the Austin Automation Center, we found three system programmers 
who had been assigned to assist in the security adxninistration function. 
Under normal circumstances, backup security staff should report to the 
security administrator and have no programming duties. Because these 
individuals had both system and security administrator privileges, they 
had the ability to elimbiate aity evidence of their activity in the system. 

At the time of our review, Austin’s security software admiidstrator also 
reported to the appli^on programming division director. The security 
software admirustrator, therefore, had application programming 
responsibility, which is not compatible with the duties associated with 
system security. 

The director of the Austin Automation Center told us that actions had 
been taken to address the reported weaknesses. These actions included 
removing the master security admiitistration user id and password from 
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VjrMcoi prafraiMMfi mi MtsUWiinc A MW ncartly 0 RNip to oomoildito 
Mcurtly«o<hMigw!tByBlgW>th>ai)i»iat»tolow4y dia cM^ 
director aiwwklttMi an aMif^awym had been fitibltiheii Id provide 
ayatem pcofraaMMis with addMonal aooeaa when rn|uiied. TNa afiproach 
ahould not oniy invrave aeoeaa oonlrola but alao provide a aneaM to 
detennine tf ayeteni prodtanunee acoeaa authoi^tiea need to be escpanded* 

We abo found initancea wheie aoceaa conlrola did not enfbioe 
aegyd ari nn of duttea prindptea. Porexanple, wefoundntateueeninthe 
infonnation icaouroe manadenient froup at the Afoui|uen|ue Medical 
Center who had both unreatiicted uaer acoeae to an financial data and 
electro n ic algiature key authority. Theaep ri v Ucdca wouidanow the uaeta 
to prepaie invokea and then approve them for payment without creating 
Ml audit tralL 


Changes to System 
Software Are Not 
Adequately Controlled 


A atandard computer control practice is to enaure that only authoriaed and 
foQy tested operating ^item software is placed in operatioa To enaure 
that changes to the opoating ^atem software are needed, work aa 
intended, and do not result fai the loaa of data and program integrity, these 
changes riiould be documented, authorised, tested, independently 
reviewed, and impleroented by a third party. We found weaknesses in 
operating ayatem software change corrirol at the Austin Automation 
Center. 


Although the Austin Automation Cerrier security policy requited operating 
ayatem software changes to be approved and reviewed, the center had not 
established detailed written procedures or formal gukhaioe for modifying 
operating system softw ar e. There were no formal guidelines for approving 
and tenting operating system softw ar e changes. In addition, there were no 
rietailed procedures for impleroeiding these changes. 

During fiscal year 1997, the Austin Automation Cerdcr made more than 100 
system software changes. Hffwwfr, iwne of thrst* fhangft jnrhHtd 
evidence of testing, independerri review, or acceptance. In addhion, the 
Austin Automation Center dkl not provide any evidence of review by 
technical inanagement Fhrtheimore, operating system software changes 
were not im pl em e nte d by an inde p e n de Ht control jfoup. 

The dhector of the Austin Aut om a t i on Cerder told us that Ws staff p l a nne d 
to d oc u ment and inylfwwiit^ l ^ft a ^ tw g y * * — rf i— y mtinwi 

procedures that reqMiie l ndep end ee d a u p et viaoiy review and approval. In 
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addition, the director said that management approval will be required for 
each phase of the software change process. 


Disaster Recovery 
Planning Is Not Complete 


An organization must take steps to ensure that it is adequately prepared to 
cope with a loss of operational capability due to earthquakes, fires, 
accidents, sabotage, or any other disruption. An essential element in 
preparing for such catastrcqihes is an up-to-date, detailed, and fiiUy tested 
disaster recovery plan. Such a plan is critical for helping to ensure that 
information aystems can promptly restore operaticms and data, such as 
payroll processing and related records, in the event of disaster. 

The disaster recovery plan for the Austin Automation Center consisted of 
17 individual plarvs covering various segments of the organization. 
However, there was no overall document that integrated the 17 Individual 
plans and set forth the roles and responsibilities of each disaster recovery 
team, defined the reportiirg lines between each team, and identified who 
had overall responsibility for the coordination of all 17 teams. 

We also found that although the Austin Automation Center had tested its 
disaster recovery plat), it had otrly performed limited testing of network 
communications. This testing included the Austin Finance Center, but did 
not involve other types of users, such as vha medical centers or vba 
regiorud offices. In addition, the Austin Automation Center had trot 
conducted utrarmoutrced tests of its disaster recovery plan, a scetrario 
more likely to be encountered in the event of an actual disaster. Fltrally, a 
copy of the disaster recovery plan was not maintained at the off-site 
storage facility. In the event of a disaster, it is a good practice to keep at 
least one current copy of the disaster recovery plan at this location to 
ensitre that it is not destroyed by the same events that made the primary 
data processing facility urravailable. 

The director of the Austin Automation Center told us that he was in the 
process of correcting each of the deficiencies we identified. Actions he 
identified included (1) expanding network corrrmurrication testitrg to 
include an outyatient clinic and a regirmal office, (2) conducting 
unanrrounced tests of the disaster recovery plan, (3) incorporating the 17 
individual recovery plarrs into an executive plan, anid (4) niaintaining a 
copy of the disaster recovery plan at the off-site storage facility. 

We fourrd deficiencies in the disaster recovery planning at the Dallas and 
Albuquerque medical centers as well. At both locations (1) tests of the 
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Computer Security 
Problems Are Not 
New at VA 


disaster recovery plans had not been conducted, (2) copies of the plans 
were not nudntained off-site, (3) backup files for programs, data, and 
software were not stored offsite, and (4) periodic reviews of the disaster 
recovery plans were not required to keep them current 

The director of the Dallas Medical Center told us that he Intends to review 
the disaster recovery plan semiatmually, develop procedures to test the 
plan, and identuy an offsite storage facility for both the disaster recovery 
plan and backup files. 


The general computer control weaknesses that we identified are similar to 
computer security problems that have been previously identified in 
evaluations conducted by va’s oig and in contractor studies. 

For example, in a July 1996 report evaluating computer security at the 
Austin Automation Center, the oig stated that the center’s security 
function was fiiagmented, user ids for terminated employees were still 
active and being used, monitoring of access activities was not being 
performed routinely, over 600 individuals were authorized access to the 
computer room, and telecommunication connections were not fiiUy tested 
during disaster recovery plan testing. 

Similar findings were also identified by contractors hired by the Austin 
Automation Center to review the effectiveness of certain aspects of its 
general computer controls. Specifically, Austin brought in outside 
contractors to evaluate security software implementation in November 
1995 and network security in April 1997. 'The security software review 
determined that key operating system libraries, security software files, and 
sensitive programs were not adequately restricted, that more than 90 ids 
did not require passwords, and that access activity was not consistently 
monitored. In addition, the network security review found that the center 
had not established a comprehensive system security policy that included 
network security. 

The OIG also reported comparable access control atul security 
management problems at the Hines Benefits Delivery Center in May 1997. 
For example, the oio determined that access to sensitive data and 
programs had not been appropriately restricted and that system access 
activity was not reviewed regularly to identity unauthoriz^ access 
attempts. The oig also fouiKl that security efforts at the Hines Benefits 
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Deliveiy Center needed to be more focused to meet the demands of the 
center. 

In addition, the oio identified general computer control weaknesses at 
seven va medical centers as part of a review of the ifcap system conducted 
firom January 1994 to November 1995. Problems identified at a mitjority of 
these medical centers were reported in March 1997. These issues included 
problems with restricting accass to the production environment, 
monitoring access activity, managing user ids and passwords, testing 
disaster recovery plans, and reviewing user access privileges periodically. 

Furthermore, the oiG included information system security controls as a 
material wealmess in its report on va’s coirsolidated financial statements 
for fiscal year 1997. The oiG concluded that va assets and fiiuuidal data 
were vulnerable to error or fiaud because of sigrdficant weaknesses in 
computer controls. Although the Federal Matuigers’ Firumcial Integrity Act 
(pmfia) of 1982 requires agencies to establish controls that reasonably 
ensure that assets are safeguarded against waste, loss, or unauthorized 
use, these irdbrmation system integrity weaknesses were not included in 
the department’s fmfu report as a material internal control weakness in 
fiscal year 1997. 


Computer Security 
Planning and 
Management Program 
Is Not Adequate 


A key reason for va’s general computer control problems was that the 
department did not have a comprehensive computer security planning and 
mairagement program in place to ensure that effective controls were 
established and maintained and that computer security received adequate 
attention. 

To assist agencies in developing more comprehensive and effective 
iitfonnation security programs, we studied the security management 
practices of eight notrfederal organizations with reputations as having 
superior information security programs. We found that these organizations 
successfully managed their i^ormation security risks through an ongoing 
cycle of risk management activities.' As shown in figure 1, each of these 
activities is linked in a cycle to help ensure that business risks are 
continually monitored, policies and procedures are regularly updated, and 
controls are in effect 


'For more inrornution on the risk management cycle, aee Information Sectirtty Management; Leamini 
FYom Leadinit Onaniationa (GAOMIMD-8S68, iW 1896). 
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Flflura 1: Risk MaiMgMiMnt Cyelt 





The risk management cycle begins with an assessment of risks and a 
determination of needs. This assessment includes selecting cost-effective 
policies and related controls. Once policies and controls are selected, they 
must be implemented. Next, the policies and controls, as well as the risks 
that prompted their adoption, must be communicated to those responsible 
for complying with them. Finally, and perhaps most important, there must 
be procedures for evaluating the effectiveness of policies and related 
controls and reporting the resulting conclusions to those who can take 
appropriate corrective action. In addition, our study found that a strong 
central security maiuigement focal point can help ensure that the mitjor 
elements of the risk management cycle are carried out and can serve as a 
communications link among organizational units. 

In contrast, va had not instituted a framework for assessing and numaging 
risks or monitoring the effectiveness of general computer controls. 
Speciflcally, va’s computer security efforts lacked 
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• clearly delineated security roles and responsibilities; 

• regular, periodic assessments of risk; 

• security policies and procedures that addressed all aspects of va’s 
interconnected environment; 

• an ongoing security ihonitorlng program to identiiy and investigate 
unauthorized, unusual, or suspidous access activity; and 

• a process to measure, test, and report on the continued effectiveness of 
computer system, network, and process controls. 

The first key problem at the locations we reviewed was that security roles 
and respondbllities were not clearly assigned and security numagement 
was not given adequate attention. For example, the computer security 
administration fimcdon at the Austin Automation Center was fragmented 
between computer security administration staff and other computer 
security components. Specifically, computer security administration staff 
report^ to the appIlcaUon programming division while other computer 
security staff reported to a staff fimction within the center’s management 
directorate. Furthermore, the computer security administration staff was 
responsible for application programming in addition to supporting security 
adndnistration. 

The director of the Austin Automation Center told us that a new security 
group would be formed to consolidate staff performing the security 
software admirUstration and physical security ftmetions into one group. As 
part of this effort, roles and responsibilities for security administration 
were to be explicitly assigned. 

The roles and responsibilities for managing computer securiiy at the other 
facilities we reviewed were also weak. For instance, computer security 
administration at the Philadelphia Benefits Delivery Center was limited to 
adding and removing users from the system, while at the Hines Benefits 
Delivery Center the responsibility for day-Unlay security monitoring and 
reviewing the overall effectiveness of the security program was unclear. 
And at both the Dallas and Albuquerque medical centers, security 
administration was assigned only as a collateral responsibility, 'lire 
security admiidstrators at these medical centers reported spending less 
than a fifth of their time on security-related matters, which was not 
sufficient to actively manage and monitor access to critical medical and 
firumcial systems. 

A second key aspect of computer security plaiuiing arul management is 
periodically assessing risk. Regular risk assessments assist management in 
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making decisions on necessaiy controls by helping to ensure that security 
resources are effectively distributed to minimize potential loss. These 
assessments also increase the awareness of risks and, thus, generate 
support for adopted policies and controls, which helps ensure that the 
policies and controls operate as intended. 

va’s policy requires that risk assessments be performed every 3 years or 
when sigi^cant changes are nuule to a fiscility or its computer systems. 
However, tume of the three facilities where risk assessments were 
reviewed—Albuquerque, Dallas, and Austin—had completed risk 
assessments on a periodic basis or updated these assessments when 
sigrdficant changes occurred. For example, there was no Indication that a 
risk assessment had ever been perform^ at the Albuquerque Medical 
Center. The Dallas Medical Center risk assessment had not been updated 
sirtce 1994, even though its processing environment had changed 
significantly since thea The Dallas Medical Center has upgraded its 
corrqruter hardware and added network capabilities since 1994. 
F\irthermore, the Austin Automation Center did not conduct a risk 
assessment flrom 1991 through 1996, even though the center implemented 
a rrew financial matragement computer system during this period. The 
director of the Austin Automation Center told us that his staff plaruied to 
begin assessing risk on a regular basis. 

A thii d key element of effective security planning and marugement is 
having established policies atul procedures governing a complete 
computer security program. Sw^ policies arul procedures should integrate 
all security aqrects of an organization’s intercoimected enviromnent, 
including local area network, wide area network, and mainframe security. 
The integration of network and mainfhune security is particularly 
important as conqputer systems become more and more interconnected. 

va's CIO, through the Deputy Assistant Secretary for Information Resources 
Management (das/irm), is req;)onsible for developing departmentwide 
security policies and periodically reviewing oiganizatioiud compliance 
with the securitypolkdes. On January 30,1997, das/irm issued an updated 
security policy. However, this policy is still evolving and does not yet 
adequately establish a fri^w^ for developing and implementing 
dfective security techniques or monitoring the dfectiveness of these 
techniques within va’s interconnected environment For example, the 
updated security policy addressed local area networks but did not provide 
guidance for other computer plalfotms, such as mainframe computer 
security. 
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A fourth key area of an overall computer security management program is 
an ongoing security monitoring program that helps to ensure ttuU facilities 
are monitoring both successful and unsuccess access activities. As 
noted above, va did not have overall guidance on moidtoring atKl 
evaluating access activities at va processing facilities. Secxulty 
administration staff at the va facilities we visited were not actively 
monitoring successnil or imsuccessful attempts to access sensitive 
computer system files. In addition, although va has procedures for 
reporting computer security incidents, these procedures wlU not be 
effective until each facility establishes a meclumism for identifying 
computer security incidents. 

A fifth key element of effective security planning and management is a 
process for periodically monitoring, measxuing, testing, and reporting on 
the continu^ effectiveness of computer systent, network, and process 
controls. 11113 type of security oversight is an essential aspect of an overall 
security planning and nuuugement framework because it helps the 
organization take responsibility for its own security program and can help 
identity and correct problems before they become m^or concerns. 

Although VA had taken some measures to evaluate controls periodically, 
the department had not established a coordinated program that provided 
for ongoing local oversight and periodic external evaluations. In addition, 
VA had not provided technical standards for implementing security 
software, maintaining operating system integrity, or controllii\g sensitive 
utilities. Such standards would not only help ensure that ^proprlate 
computer controls were established consistently throughout the 
department, but also facilitate periodic reviews of these controls. 

Ihe Austin Automation Center was the only facility we visited that had 
attempted to evaluate the effectiveness of its computer controls. For the 
last 3 years, the Austin Automation Center has brought in either OIG or 
contractor personnel to evaluate certain aspects of its computer security, 
including mainframe security software implementation, the network 
security environment and physical access controls. In addition, the 
director of the Austin Automation Center told us that the center’s client 
server envirotunent and security controls would be reviewed during 
calendar year 1998. However, the Austin Automation Center had not 
establish^ an ongoing security oversight program to ensure that controls 
continued to work as intended. 
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in addltkm. both the iMMM Mcurily froup and te m 
i trfom a toi Security Servtee(iaM) had p eifa wwdeecMrity review^ 
theae ravtewi focueed on coaivlleim rather than on the cflfectiveneM of 
contiola The iMaani aecurily froqp evahiated dteeeter recovery on a 
departaaenriride baria In flacal year 1907; MM levlewa corepulcr aecurity 
at VHA prooeaaing flacflitiea on a ayearrotarional baaia. Deaphe theae 
cflbrta, we found control weakneaaea due to nonrorapllanfri with va 
pollctea arid prooeduna. PValhennoie, until VA ealabllahea a propani to 
perlodlcaSy evaluate the efliaclIvencaB of controla, it wn not be able to 
enaute that ha computer ayateme and data are adeqnaMy protected from 
unauthoriaed aoccaa 

In April lOOSt DAMBM offldala told ua that VA la ht the pcoceaa of 
deu^kiping a comptehenaive aecurhy plan and manatement ptofram that 
wil hicoipoiate a riak nwnaoernent c:^ arid hichide requbementa for 
monhorlntacoeBaactlvhy.rcpott li i g aecurhylncident a , and reviewing 
compliance with polidea and ptoceduiea. The director of VHA MM abo told 
ua in April 1906 that the VHA Information aecurhy program office la 
addt e aa in g all of the aecutily ia aueelde n tifledAa part of thb effort, MM 
plana to change tta orvette aecurity review procedurea arul VRA plana to 
expand current aecuthy polkiea and guidance. 


Conclusions 


VA'a acceaa oorhtol problema, aa well aa other gerreral computer control 
weakneaaea, are placing aenahive veteran medical and benefit infocmation 
atriakofdir Aue, critical Itaarrcial and berrefit dettvery operatkaia at 

riak of diaruption, a^ aaaeta at riak of loan. The general ooraputer control 
weakneaaea we iderhlfled could alao adveraely affect other agmeiea that 
depend on the Auatki Automation Center for ccanputer pm rearing 
aupport 


B a perl al l ydiat u rbing la the het that many aimilar weakneaaea had been 
repotied in previoua yearn, indicating that VA‘a paat actlona have not been 
effective on a depmlmentwlde baaia. Implemethltrg more effective and 
laating controto that protect aenahive veteran information and eatabUah an 
effective general coraputer corhrol enviroruaent tequbea that the 

naa nagrment program. Thin program ahould provide for periodicafiy 
aaaeaaltrg riaka, Implementing effective corhrola forreatiictiugaooeaa 
baaed on Job tequhementa and proactively reviewing acccaa acrivklea, 
cl e rMl y d c.fln i rt g a e cu rtty rolea ami reapottatoflhiea, and, pethapa moat 
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tavottanl, monitortng evaluating the effectivenm of 
poMclea to eaauve tlHt they leniain effective. 


Recommendatioiis 


We reoomnend that you diiect the VA CIO to work in ootitunctton with the 
VIA and VHA cna and the fSadUty diiecton aa appropriate to 


• Ibaitacoeaa authority to only thoae computer prognuna and data needed 
to peffonn Job reapomibilkka and review acceas authority periodicaity to 
IdentUy and coned inappropriate acceaa; 

• implement ID and paaawi^ management controtoacrooa all computer 
platflorini to nudntain individual accountability and proCed paaa«rotd 
conAdentlaltty and teat theae controia periodically to enaure that they are 
operating effectively; 

• develop targeted monitoiing programa to routinely identiiy and inveatigate 
unuBual or auapidoua ^atem and uaer acceaa adivily; 

• reatrid acceaa to computer rooma baaed on job reapcaiaibillty and 
periodically review thia acceaa to determine If it is atill appropriate; 

• aeparate Incompatfele computer reaponaibilitiee, auch aa ayatem 
programming and security adminiatnuion, and ensure that access controls 
enforce segregation of duties principles; 

• require operating system software changes to be documented, authoriaed, 
tested, independently reviewed, and implemented by a third party; and 

• e a tshllsh co n trob to ensure that cBsaster recovery plana are 
comprehensi v e, current, folly tested, and maintained at the offsite storage 
fodMly. 


We also recommend that you develop and Implement a comprehensive 
depoitmentwide computer security planning and management pro^ant 
included in this profpam should be procedures for ensuring that 

• security rolea and responaihiUties are dearly assigned at>d security 
managemcK la given adequate attention; 

• iialcs are assessed pe r jodkadly to ensure that corttrob are a pprop ria te; 

• aecuritypollciea and procediaescornprehcrnively address aBaspecte of 
va's tatercomected environment; 

• attempts (both aucceasftd and uraucoeasAil) to gain access to VA computer 
systerw and the sensitive date Ues and critical production programs 
stored on these systems are idenlifled, reported, and reviev^ on a regular 
basis; and 
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• a security oversight ftinctlon, including both ongoing local oversight and 
periodic external evaluations, is implemented to measure, test, aitd report 
on the effectiveness of controls. 

In addition, we recommend that you direct the va cio to review and assess 
computer control weaknesses that have been identified throughout the 
department and establish a process to ensure that these weaknesses are 
addressed. 

FWthermore, we recommetKl that you direct the va cio to monitor and 
periodically report on the status of actions taken to improve computer 
security throu^out the department 

Flrudly, we recommend that you report the information system security 
weaknesses we identified as materia] internal control weaknesses in the 
department's fmfia report until these weaknesses are corrected. 


Agency Comments 


In commenting on a draft of this report, va agreed with our 
recommendations and stated that it is taking immediate action to correct 
computer control weaknesses and implement oversight mechanisms to 
ensure that these problems do not recur, va stated that it is also preparing 
a comprehensive security plan and management program that will 
incorporate a risk management cycle and include requirements and 
guidance for monitoring access activity at va facilities. 

In addition, the va stated that its cio is working closely with the vba and 
VHA aos to identify computer control weaknesses previously reported in 
oiG reviews and other internal evaluations and develop a plan to correct 
these deficiencies, va also irfformed us that the cio will report periodically 
to the OIG on va’s progress in correcting computer control weaknesses 
throughout the department 

Finally, va agreed to consider outstanding computer control weaknesses 
for reporting as material weaknesses in the department’s fiscal year 1998 
FMFiA report when the department’s top management council meets in the 
first quarter of fiscal year 1999. 


nUs report contains recommendations to you. The head of a federal 
agency is required by 31 U.S.C. 720 to submit a written statement on 
actions taken on these recorrunendations to the Senate Committee on 
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Qoveminental AiEalra and the House Conunittee on Government Reform 
and Oversight not later than 60 days after the date of this report A written 
statement also must be sent to the House and Senate Committees on 
Appropriations with the agency’s first request for appropriations made 
more than 60 days after the date of this report 

We are sending o^ies of the report to the Chairmen and Ranking Minority 
Members of the House and Senate Committees (Hi Veterans Afltdrs and to 
the Dire<tor of the Office of Management and Budget Copies will also be 
made available to others upon request 

Please contact me at (202) 612-3317 if you or your staff have any questions. 
Major contributors to this report are listed in appendix n. 


Sincerely yours, 


-fig I g 


Robert F. Dacey 

Director, Consolidated Audit and 
Computer Security Issues 
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Appendix 1 _ 

Comments From the Department of 
Veterans Affairs 


Note: GAO comments 
supplementing those in the 
report text appear at the 
end of this appendix. 


See comment 1 



DcMfrTMiNT oe vrrt MMe AmuM 

AtMTXMT eiCnrrMV m fOUCV AW PlMMNO 
WaanmotonOC ww 

JU. I 6 sge 


Mr. Gene Oodaro 

AtaMant Comptroaer Ganerai 

Accounting and Information Managamant OMaion 

U. S. Qan^ Accounting OfAoa 

441 G Street, NW 

Wtehlngton. OC 20948 

Dear Mr. Oodaro: 

Thia ia In raaponaa to your draft report,* VA MPORHAVOM SYSTOtS: 
Cornpuiaf Cofftnrf Wtia toi aa a a a f ncr ea a a Wfofto/fraud^MtauaaandfcqpnBpar 
Oteefoaure (GAO/AIMO-oe-175). Your report citaa numeroua VA ayatoma aacurfty 
breachea that oonoam ua greatty- VA la taking Immediate action to correct thaaa 
defidenciea artd ia InatHuti^ ovaraight machanlama to enaure that auch a breakdown In 
the protection of our financial, vaierana'banafll, vaterana' health, and empioyea data 
ayatoma doaa not recur. 

VA fofty oorrcura ii. jach of the reporta recommandatfona except for the one 
caltng for VA to report the Information ayatam aacurily weaktreaaea you identlfled aa 
material Internal control waaknaaaaa reported by the Department under the Federal 
Managara Financial Integrity Act (FMFIA). For that recommendatxrn, we can only 
concur in principle. VA'a procaaa for datemnining a material weaknaaa tequirea a top 
management coundi to conaider Internal control weaknaaa iaaueo for repotting under 
FMFIA. That counoi* wfll not meat unbi the first quarter of next fiacal year. Bythatbma, 
we hope to have many of the idantifiad internal control weakneaaaa corrected, thereby 
defUaing the reporting iaaua. VA'a sasaaamant of progreaa will be the determining 
factor. 

Endoaure (t) deacribas actiona taken and planned to implement your 
recommendations. Endoaure (2) ia an action plan that the Veterans Health 
Administration has developad to address your recommandationa throughout VA'a 
health care system. Endoaure (3) detsis additional actiona that the Veterans Benefits 
Adm i ni s t ra t i on is taking to address your recommandationa. I appiedate the opportunity 
to review the draft of your report 


Sincerely, 


Ertdoaure 
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I 

rpl—WH dM D* *yw«M*t of 
VottruoAOkln 


Enctooura 


OEPARTMENT OF VETERANS AFFAIRS COMMENTS 
TO GAO DRAFT REPORT. 

VAINFORUATIONSYSTtHS: Com(Hit$rControl IneimmtUukof 

iM§u$9 find lnipfop$f 
(QACVAIMD^ITS) 

OAO racommands that tha S a cf a M fy of Vatenata Aftaira Mraet tha VA CtO 

to arorfc In eonjunetlon aftti tha VBA and VHA CiOo and tha tocWly 

difaotofa aa a pp fopflata to 

• Ihnlt aceaaa autfKirily to only thoaa eomputar pragranw and data 
naadad to paffonn |oB caaponaSillltlaa and pariodtoady lavfaw aooaaa 
aulhofftty to Idantify and oofraol inappfopriata aooaaai 

• Implantont O and paaaafofd inanaQanMnt oontiola aofoaa ad oonpatif 
ptalfonna to nalnlaln Individual ac o ountabdity and pcotaol paaaawftl 
oonfldandadty and pariocdoally taai lhaaa oomrola to anaura that lhay 
afa opafatInQ afVaoCIvalyf 

• davatop ta r gata d monKortng proipama to rouUnaly Id antif y and 
tnvaadgataunuaualofauaplclouaayatanianduaaf aacaaaaotlvtty; 

• raatriet aooaaa to tha oomputar room baaad on )oh raapanaMRty and 
pariodloally ravlaw thia aooaaa to data nn ina If d la aMd appropriata; 

• loapara te lnoonipatBtlaootnputaf faaponad»dltlaa aueh aa ayatam 
Itrogrammlng and aaourlty adminiatiallon and anaura that aooaaa 
oontroto #fiforo# MQf^QSlIoo of dutioo pf1nciploo{ 

• raquira oparating ayatam aoftwara ohangaa to ba dooumantad, 
authortsadf taatad. Indapandantly ravlaivad and bnplanianlad by a third 
party, and 

• aatabllah oontrola to anaura dtoaatar ra c ovary plana ara 
oomprahanalva, currant fudy taatad, and maintainad at tha ofhaNa 
atoraga faodity. 

Conoif - Tlia Dapartmant's CIO la coordinating VA'a raoponaa to tha ranga of aacuitly 
waaitnaaaaa addraaaad In tha abova parta to tha laoommandation. VHA'oMadical 
Informadori Sacurlty Sanrica (MISS) la raaponalbla for ovaraighi of VHA'a Infonnation 
ayatam aacurty program. Whlla marty of tha aacurtty atapo cbad In thia 
laoommandatlon ara abaady a part of axlatirtg podcy (VHA Manual M*11, Chaptar 16), 
aomaaiaiiotandtharattllaxtataanaadforovaraight MISS will Inoorporata 
compHanca ravlaw prooaduraa into Ha flaid atatlon aha vWt program. VBAhaa 
aatablalwd an Information Sacurlty Taak Foroa to ravlow tfW aacuiity araaa that OAO 
IdantlAaa. Tha taaWorca praparad a numbar of racommandaliona to oorract policy 
ahofloomlrtgaartd aooaaa control ooncamaldaritiftad at tha Hinaa and Ph da dalpNa 
Banafita Oalivary Cantara. 


Pa(«M 
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Ap^MdUl 

CoMBMts ProM tk« 0«raita«u of 
VtUraMAOkin 


Endotur* * 


DEPARTMENT OF VETERANS AFFAIRS COMMENTS 
TO GAO DRAFT REPORT. 

VAINFOKMATIOHSYSrm^! Conpvtmr ConM ¥>f»aknmM» tninam KM Of 
Rnwol MftuM and/«^Rrep«r OMcAmut* 

(QAO/AIMO-9ft-17S) 

(Contfnued) 


OAO alM raconmaoda; 

thatthaSa ci aMfy davatopawdiniplawa nt a co inpfahanalva 

Dapartn>an<wMa cowiputar iacwWy planning and managwwairt p^ogfam. 

Indudad in tMa prooram aliouM ba proeaduiaa for anauring tturt 

• aaeurtty rolaa and laaponalMMaa ara Maaity aaaignod and a a cu rl^ 
ntanagamant la givan adaguafa attMidon^ 

• rtaka ata a a aaa nd pariodteally to awaura that coMrola ara approp ria ta; 

• aacurHy poU c iaa and prooaduraa compraiwnalvoly ad d rtaa all aapaeta 
of VA'a Intar c onnacfid anvl r onmanl; 

• atiMnpia (botti auceaaaful and unauocaaalkJl) to gain acooaa to VA 
eompiitor ayatoma and a anaMva data flioa and cr W cal produelton 
programo atorad on thaaa ayatoma am Ida o lWad, raporlad and raalawad 
on a ragular baala; and 

• a aacurttyovaraigMfunclton, Including bolh ongoing local ovaralgM 
and parlodic axtamal avaluatfona, la hn p la m an to d to ma aa um, last, and 
mpoft on toa a f fa ed va n aaa ofconbola. 

Concur • VA it praparing a oomprahanaNa aacurity plan and managamant program that 
wM indudo Inddant raporting ancurtly aw a ranaa a . comptoinoa ravlawa. and much morn. 
Wa ara alto Incorporating a rtak mariagamani cy^ Into Ihia program to anhanoa VA'a 
computor control aa notad In tha dlacuaaion dralL In tha poH^ wa Ml Induda 
raquiramanta for monitoring al aooaaa attarrvla aa wal aa damloping oorraapotvllng 
guidanoa in an adjoining harKtoook oonoamlng ovatoaUon aooaaa acbvltiaa at al VA 
(adlliaa. In addition, aacurtty awaranaaa aaaaiona wl ba oonductod at our upcoming 
Information Technology Confaranoa (ITC) In Auguat In Auatin Taxaa. 


In addWon, OAO raeonananda that ttia S acrata r y dhact tha VA CIO to 
fwtow tfid MMM c o ffi p ul i f cofifro l ttMt htv# iMM WmiMmI 

tuoughout tha dapartmant and aatabUah a proeaaa to annum dial thaaa 


Paf«M 
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An*MdU I 

CMHMMa rr«« tiM DayMtMMt 
V«t«nuM Af&iln 


See comment 1. 


Encfcwura 


DEPARTMENT OF VETERANS AFFAIRS COMMENTS 
TO OAO DRAFT REPORT, 

VAMPORMAnONSVSTBWS; C oee n Nf Con<re/W%efcr>e—ee l ecr ieet RM oi 
Fraud, mdhnpnptr Dtetteeijne 

(GAOIAIMO^ITS) 

(ContintMd) 


Concur • VA's C lO and the two ina|or admlnMrabon C lOe aia working doaeiy wkh ttw 
Ofloo of Irwpector Gonoral to idan% pievtouily cttad ocinputor Mcurky weafcnaaaaa 
and to develop a plan wHh a IhrwIaMo to oorraet thoae daMancioa. VA'aCIOwR 
naporl montily to the 010 on p ro gcaai In knplMnondng IGli and QAOk 


FuiMiai'iit o re. OAO r a c o mw aoda that the S a ci etaty direct the VA CtO to 
fnonNor and parlodIcaSy laport on tha alalua of acdona taken to ImproYt 
covnputor aoourtty tfimuglioet the daparknank 

CgtHUC ■ VA's CIO wM monkor deaa l y tha acllona plannad and taken to correct tha 
computer aacurlty waatuiaaaai difougtioul tha DapaitiiiaiiL Ha wM alao pertodtoaky 
report on tha prcujraii achieved to the Inapactor Oarraral. 


Finally, OAO raeommanrto that tha Secretary report the Information ayatom 
eeetirlty weakneaaea OAO I dentJItod aa material weaknaa a aa in Ihe 
dapar toi anf a FMFIA report until ce trectad. 

Concur In Prtnciole • Tha Daoaitmanfa a anlor manaoerrrarrt wil meet durinp tha Iket 
quarter of Flacal Year 1999 to Mamify twee intamal conkol hauea that require the 
utmoat aSantlon to oorrecL At that time, they wN oonordar toe DapartmenTa intormalion 
ayatam aacurty waaknaaaea for raporttog aa matartal waaknaaaoa under the Federal 
Managata Financial Inlagrty Act It la tha Dapartmanfa expectation that we wS have 
made aufflciant progreaa In correcting lhaae prohlerTW to preduda auch reporting. 


in addMon, tha report ahouU rellad tha progreaa and changea that VA haa 
Implamantad to oorted profelam a aa daacrtoad in our corrwnarrt a to QAO^ intorim 
report For axampla, the Aucdn A u tomatio n Center haa: 

a. Raaaiignadimmadtotaraaponafolty tor both data and phyalcalaacurity to tha AAC 
Director. 


Pafatl 
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C»MITiaNT OF ^TIRMM 

to (MO OMFT REPORT, 

mmnmmfi o iimfnm m: .. . 

( C ei Ow wO 


k C 0 f Xiieli < 1 h<i n n<iK wiiwUo <ilini * i Rw i Rpi ii pilKi w R >8 i n l tny w 

licRiiotoiria^iWMwMwtaliRlBwrfB u d l ttM^ 

•wwdR««o(t 

4. n ii Q ii l f-"*-IT---»*-'“•*-—«» —••■* ——<« 

dBB H wn H w W BMIenaliwhdKi im fci dn alHtiBUdiwpwt 

«. CflwylilidwnUmnw dmatkmirntn&n^t. 
eawdli m >y t ipli W hir 30. im. 

1 NaquMMtwOKlMdeMOtoparfBniialskMHVfMdwbylwandefFYIMto 

¥Wd^»>mBl1 lB Harwpo mw d h gi. 


Pwttt 






118 


CO( — NB rt « lYow of 

V«tmw Allkin 


&MlOkara(S} 


Action Flu in Wni o n n to OIC/GAO/MI Aodito/Ftofrui Bnlutiano/llooiiwt 
NaMofRopect VAINFOKMA1JONSYSTEMS: CmfiairCMnlWUmmmb$awm 

nan tf fTMHV iVMv flW wWUOfIKw 

nrofKtHoj GAO/AJUMS-m 
DktoofiUiwrt hmoNM 


ItooonuMndallaM/ CoujiMicn 

Acttoao Doto 


WofOAO)nwunion<IBntihtS»cntoiyolVttofoni AtfiincUncttinVA ClOto 
work in oonfonetion wMi VBA ud VHA C30k ud too todUtf dincton ko appropitoto 
to: 

RooonsMrkUtton No. 1: limit ooono mUwrlip to enijr tfaoM conpotor prognao and 
date n oodid to p orfecm fobn^tomibiilltoi and partodicaOjr tovtow aocaaa auihodiy 
and oorract inappfopflato aooaaa. 

Coocnr 

VHA'a Manual M*11 Chaptor Pangrtph l&W a, Frocaduna tor Syvtom Aocaaa, 
addnaaoi tUf qMcUic iaaaa. Tfaia paragraph atalaii*Uao of VHAinfcmatlonaaaala 
(hardwara/aoAwaia/daia) ia laaMctod to ttwaa with a naad for thorn to tot 
pattormanca of todr duttoa....'fa addilton to toia policy, Madical Information Sacnriiy 
Sarriot (MBS) ia changing pfooadttiaa for Aair alto viaiti to tocioda chocking for 
compbanoa wito thia policy. 

KacoBUMndfttton NOk 2 : fanplMMBtlD tod ptMWwd nuM^HMotoonlrQlf Krai# tU 
cempvtor platfdrma to avaintato todMdnal aocoontaUity a^ protactpaaaword 
confidanUality and periodically toot thaaa controla to uaara that they an opmattog 
aflachraly. 

Concur 

VHA'a Mamial H*ll, Chaptor 1, Faragraph lh09 f« Ftooadaraa far Uos’ Acsaca^ 
addiaaaaatoiaapadflciaana. Bctataa.'PiocadnnaahouldbatoptocatDrtviawttaar 
changa of atatoa (c.g., tr an a f ir, torminatioiv aaparation).' Thia paragra|to aloe Uata 7 
laq ulr aattnfadaaUngwitotoiaprocadnra. MisSwlIlfoUow.iipoathlalatottoord«rto 
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Ciwmw rwawDtMt—to# 

VatmM Allklrt 
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AfftwHM I 

CMMMBta Trom tk« DapwtBMit of 
VtteiaM Aflkln 


Adloa WmUm Kihid h teOtO/OAO/MI Aadili/Ptagraa 

S»mmotUo«»tyAINF(»MATK>NSYSrtMS:Omfia^ClmMVt*ilammmlmnm 
MitftmJ, Ulmm m i lmi/nfmDkilemn 

prandvM.* TUtkcOT«iax«**«*N«p«ta#itt<M«*MBBs««ri4rnvtew 

pfOCHi* 

XmMMddioa Nfc Sc Sifimti iMsaqwiiMa tanpate iMpendbOMM aodi M 

flaiont MfMfittoB of p(lad|plt ^bdiiia 

CwW Tlf 

VHAMamMlM-ltChqilflA fkr i yu ihmXdi^i d c tj mMfldtiiOM*, 
it dMiraUa fiM a MCBil^ oteadpotat Ihd Omm pooUioM bo MpaniMi 10 SmI 
4triiat of tiqr OM panon wa not adwtalp aftoct Mm AntoautKl bfcnuifaa SyttHM 
(AEDdBttocaaOictafiairatarBMltdoaaiBltnt*' lUi it a atandaid pnoadw* 
dHdtad dttitas (hi ottoMt MBS aacml^ iwriaw pnoaatL 

R a w»ww aada>ionNo.fcKaqwirtopa»atl ng t y it M toftwartdunttttoba iinmw twit d , 
aali>oittad H tt * t4 ii>fi t p ta d t B ily io tiawo i iaad > ti p ltt n t nl t i1 byatfitelpa»^. 

Coaenr 

VHAMaatial 14-11, gMpttflAftBoyaphlAlACtrMfltaiioaaad to rartiSratioa, 
addfoataaOiitictM. TUtdMptardiacuatattfaaraqulraaMnbferlMtiiigofaSBaw 
appMc a MoataadoftifoiflcaaitaodiacaileatooiJtiiwgapplicaMoBtu R alto ditnaaat 
IfataoodtedoattdttiormitwaiKli^ctrtlflcaiiOBthtUbapotfctawdai l ttt i too iy S 
jroan. AadteorforittMatidto^totiacatioatiocotitidafodapoitofaftaejr 
Tohoratflity totottotaoii and teianial cowirol r rritw a MBS it cvmnlljr woriciiv wliii 

a ootttracling lim to dotolep crtiaria and gnUWinat for oarUiyii^ tO taatilivo 
a p pli tat io H taaJt y ito w i wjgiiBVHA. AdnftefOitMqiiimMntitoxptctodbjr 
Odobarim A dtHt to w al l o ytif taoB i titrlbitrt ro t no ia wdt t ion conatobttbiifidte 
bt-11, OMptor U Vadikstioa. 

WomatiawiitMoii No. 7: Htiibiitb ceairolt to aatoao cUtttItr locoopty plant art 
oaoprahaBtiva conoat faOjr toatodr and Biaiatoliiad at dw ofMto ttortft hdH^. 
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AffmitM I 

riiiWIBti f f — Pl fMfMH 

Vmmwm AfBUn 



AcMon Pin ta K ti p o a n l»OK3/QAO/UI Aadfli/n«fram BnhattOM/Ravitwt 

Nmmot%lpeltVAINFOIUM^nNSYmk^S!Cmfllt^Cmlnt\^k^h,mmlmIml 
Kkktfhmii MU m m milmfnftr Dkttm mi 

OsBcar 

VIU Mmwd M-11, ClMplw Uk Plmcr^)te IMl c H) aid 1«.15 addint tWt towk 
Hmm panfnflM nni tfnt nefc Cfalii DtM SnHo^ than ntfiMtoh pi«c»diiin to 
nanvflMdmnfHMfcreaoii^fnejrplnntnflicamnL 16.15dnb 

wflh tfw onml Coallnfncf MnifnMnt ptooM «l tttt bdUjr tenl and tiw 
praotda«moMMf]rlaaMamftatti(tepla»aadwafUa(. lirfa fa • naiMlani 
praeKhavcteefcad (twins otMtti MBS amaitf mrfaw prana. In addition to dm* 
p tocad nm dwOtBeaaPdwCIOafaopiwidaa wMm a nty pfaamtogaoftwMofaoach 
VHA faelUtf M put ad a Mrtfanal coNbwt aasedafad ^ tfia OCX 

laoewoMndotiaB No. •: Soewity ooLa and raapeiMafliifaa m (faufy aafagnod and 
aacwliy nanafaaMnt fa (tvoB odafoafa atfanifaa. 

Cooew 

VHA Manual li-ll, Chapiaf 16 1604 a., addiwaaa ftfa faaaaL B oatablialMa 

dia rota for an fafonutfan Saewt^ OCtte (BO) at andi fadU^ tad doUaaafaa lha 
napoattUUIfaa and prograau ntoaataiy la angaft a foOp aoooattfol AB aacurily 
piogrmm. MBSwfllioqnaatdiataadiladlltyaaaplayafalMtnaBO. AdnftoiHifa 
neoaanaiidalfaii abaold bo aaaflaUa for aartow bjr Aitwl 1,1906 

l fa m a Bn> andatfaaiNa.ftKfalct aio aaaaaaa i paitodfaaflytaanaaraautcwitr^laojt 

4ppf<0pfltll- 

VHA Mamal M-11, Ghaptar Ptftgrapb 1616 Pfoeadorat for Rfak Analpafai, 
addiwaaa Oda faaoe. TbaaaaaaawaBlanqniradlptMapoUcjraratabaconpfafadnot 
laaaSianaooiplpoank thaOCIOhaapravidad Aafi^ wMaotooutodilak 
aaaoawaantaoftwoiolaaidtatfdapractaa. MBSfacwraidiywcrtos with a con t ractor 
to opgrada ttfa aoikwara la a orfMlowt format tad to pravida oompottr^waad tntntng 
toftwartforaOtMora. Tbta(dhraiafaa>yactadtobacampfatadbyjBly20|,1996 
fl ^a fu w l d aaaaflabfl^ fa aiyactod by Aagwt 261996 
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AfptmUx I 

CoMMsU From tb« Df ff l i t ot 
VtUnmAOUn 


AcMmi IIm bi iMpoM* to On/CAO/Ml AadMi/iyptnai Bvalottiom/Kavtowa 
N$mt<>tMtpartVAIMVU^AnONSYS7EJ^amfmkrQmMVVUmmmb$enm 

MM ^ frWMv flW ll^Vtpir MMMVV 

Itw i wt d t M mi Ho. Iflt Stemitf poMdw «rf pwad um < wp »iiwBrtwly ■d dn wi all 
Mptdl VA'i MVCOAMdid fBVifOMMBt 

Cenenr 

VHA'* MmwI l4»ll, Owp *»ll^ T mf ff k 1111 ft, Trftmnmumifitinwi md 
ffatwoffcftftddrMMidiiclMaft lnftddlHMitoftiipftn(nflv VHAh«alw 

U w tf w nK K«y««w Boitt who tl w w il ojx pottcy M>d W T k w 
r a ni l teiKft wiai lii i l n uB d wtl Bh n wI ia —byVHAhdUMtft TlMwIte m m i By 

wp ftift ti^d w ftlo m dpollcyd<>Mft|wMhtfw l ftl gmtw Tl i ' iwnnl TMt peUej'win b* 

loMiporaMlatottftnnlwnionadCiMplwll lldipollqrwfllb»Miplttidladfift 
fam tgr Aftfott 41991 

FawiiwntliHnii No. 11: Attai^ (bodt MoeHofnl and omuoomiM) to gala aocaaa to 
VA com puto r ty»ttoa» and tanaftNa data fflaa aad cillicai pro d ucUop profTtax atorad 
OB Umoo apvtoflto an faSftRtStel f^ortad and iwiawod osa tagulaf baala. 

CoBCItf 

VHA llaimal M-11 ClMq>tor 11 Pto agw p lB 1111 (2) and (5) addraaa Ihia Imuo. 
AddHtonaDy, MBSiic iii fft ftd y wort^wMhaceBbfftctortoaatabUthcritoriafcr 
monHoriag potontUI aatwoflc lacftrt^ teddali aad MBS ia comndy davalopliy a 
CoBipfttor Hn i wg a Br y i toa| iiin iaCapatmiyiDrtoaVHAaB» lr o BB >aB t ndaoapabiUly 
ahoftld tw laady Isr toiplaaaanlailOB by Dacaate 1991 

F ft rnin a ti ft n daltoBNo.4AaocaBl^oaaaa <gM fBadtoavlathidtotbodicatotetlccal 

and 

npOrt CMI ttM €0bdlhMMMMi 0^ OOQiPOlla 

CoQcnr 

VHA Mttittd M-lly Qttplv 14 Fmfrtfli li.lX hmdnw fo AB S«c«ri^ F^ognm 
Ammoma^ ^ddfiiiii Mi iMVib TMi riBrf f ** | 4! < y”* *^f**^ lof bo4li fartvnil And 
cxtinial riTteWi. At AtrtAd Airtiwv MPii ciiif i B y woridng wftfa « co ttfr Artor to 
tftrtABittM diA iKlsdOAl AACWl^ pOlthXI O^OW AKftmAl fWlAW pAOOAiia 
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A|ip«Bdlz I 

CoBa«ata Proa tk« DcpamiMt of 
Vttcruu AlUin 


Ek)do«ura(3) 


Department of 
Veterane Affaire 

JULl?«0 

taK Oaputy Undor SocroUvy for Managanam (201) 

^ OrafI GAO Rapott GAO Fila #20470. EDMS #24530 
^ AaaiatarK Sacratary for Policy ar>d Plarming (000) 


Memorandum 


1. VBA ftaa bagun addrataing tha tpadftc oonoamt raiaad by GAO m Ht draft 
raport, VA MOrmatiort Syatams: Cornputar Control W aal m ai i aa IrKraata Riik 
of Fraud, Miauaa and impropar Otadoaua. Our afforta induda lha foUowing 
adiona. 

A VBA aatabllahad an MOnnalion Sacurily Taak Forca lo raviaw lt>a aaourity 
araaa idanunad in #w GAO findinga. Tbataakforoapraparadanumbarof 
raoonvnandaborta to corrad pdicy ahortooming a arto acoaa a conird corKama idantifiad 
at tha Hinaa and Philadalphia BanaOta Dalivary Cantara 

b VBA ataff la raaaa rc hi ng tha purchaaa of ancryptlon aoltwara to pravant tba 
captura of umrwryptad maMrama IDa arto paaaworda from tha natwortc 

c Both BOCa ara updaing pdidaa and oparatirx) mamoranduma Hinaa will 
ahara ita updataa with PhUadaiphia ao that both BOCa hava aimilar procaduraa Thaaa 
updataa will addraaa GAO ooncam a wito raapad to natwodt oontrda 

d. Tha Philadalphia BBC haa appointad a naw fnforma ti on Sacurity Offwar who 
la ravlawirto toga and violation raporta. Tha Hinaa Sacurity Staff ia raviawing IBM Top 
Sacrat toga and ia Impiaman U ng tha ftooaywall Syatam Sacurity Manag ar loftwara. 

a. Hinaa arid Philadalphia BOC Information Sacurity Offioara ara raviawing 
aocaaa raquiramanta aa waft aa atatua of background invaatigationa for VBA and 
contractor amployaaa. 

f. HinaaBOChaaprapanodaStatamonlofWorklOrafuniiakaaaaaamanIto 
b9 ooodudvd iit Iht otnMr. 
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Ai^Bdix I 

Couwata Ftom tli« Oef«rt»eat of 
VctcnH Aflklra 


TTie following lA gao's continent on the Department of Veterans Affairs’ 
letter dated July 16,1998. 


GAO Cornm6nt va only concurred in principle with our recommendation to 

report the information system security weaknesses we identified as 
material internal control weaknesses in the department's fmfia report, the 
department's plans for evaluating computer control weaknesses for 
reporting as material weaknesses appear reasonable, va has committed to 
presenting outstanding control weaJmesses to the top management 
council when it meets in the first quarter of fiscal year 1999 to determine 
material fmfia weaknesses for fiscal year 1998. 
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years to Improve the federal government's performance in this important area. These efforts 
include actions by individual agencies, the Office of Maruigement and Budget, and the Chief 
Irrformatlon Officers CouncU, as well as irdtlatives outlined in the recently issued Presidential 
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Executive Summary 


Puipose 


Due to growing concerns about our government’s reliatu:e on inadequately 
protected information systems to support critical and sensitive oper^ons, 
the Chairman and Ranking Minority Member of the Senate Committee on 
Governmental Affairs asked gao to (1) evaluate the effectiveness of federal 
information security practices based on the results of recent audits and 
(2) review efforts to centrally oversee and manage federal information 
security. 'Hiis report describes the results of that analysis and outlines 
marukgement practices that could improve the effectiveness of federal 
agency security programs. 


Background 


Federal agencies rely on computers and electronic data to perform 
functions that are essential to the national welfare and directly affect the 
lives of miliions of individuals. More and more, these functions, which 
include natioiud defense, tax collection, benefits payments, and law 
enforcement, depend on automated, often intercoimected, systems and on 
electronic data rather than on manual processing and paper records. This 
shift has resulted in a number of benefits so that information can now be 
processed quickly and conununicated almost instantaneously among 
federal offices, departments, and outside organizations and individuals. In 
addition, vast amounts of useful data are at the disposal of anyone with 
access to a personal computer, a modem, and telephone. 

However, the government's increasing reliance on interconnected systems 
and electronic data also increases the risks of fraud, inappropriate 
disclosure of sensitive data, and disruption of critical operations and 
services. The same factors that benefit federal operations—speed and 
accessibility—also make it possible for individu^ and orgai^tions to 
inexpensively interfere with or eavesdrop on these operations from 
remote locations for purposes of fiaud or sabotage, or other malicious or 
mischievous purposes. 

'Hu'eats of such actions are increasing, in part, because the number of 
individuals with computer skills is increasing and because int)[usion, or 
‘‘hacking,’' techniques have become readily accessible througfi media such 
as magazines and computer bulletin boards. In addition, natural disasters 
and inadvertent errors by authorized computer users can have negative 
consequences if irdbrmation resources are poorly protected. 

Gauging the level of risk is difficult because summary data on computer 
security incidents and related damage are incomplete. However break-ins 
and damage of varying levels of significaiKe have been acknowledged in 
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both the public and private sectors, and media r^rts on intnisions, 
fraud, and sabotage abound. In a recent survey conducted by the 
Computer Security Institute in cooperation with the Federal Bureau of 
Investigation, 64 percent of the 520 respondents, which were from both 
the private and public sectors, reported computer security breaches within 
the last 12 months-^ 16 percent increase in security breaches over those 
reported in a similm' survey in 1997. While many of the survey respondents 
did not quantify their losses, those that did cited losses totaling 
$136 millioa' In an October 1997 report entitled Critical Foundationj: 
Protecting America’s Infrastructures , the President’s Commission on 
Critical Infr^tructure Protection described the potentially damaging 
implications of poor information security from a irational perspective, 
noting that computerized interaction within and among infirastructures has 
become so complex that it may be possible to do harm in ways that cannot 
yet be frilly conceived. 

To guard against such problems, federal agencies must take steps to 
understand their iidbrmation security risks and implement policies and 
controls to reduce these risks, but previous reports indicate that agencies 
have not adequately met this responsibility. In September 1996, gao 
reported that a broad array of federal operations were at risk due to 
information security wealmesses and that a common underlying cause was 
iiuulequate securify program management In that report, gao 
recommended that the Office of Management and Budget (omb) play a 
more proactive role in leading federal improvement efforts, in part through 
its role as chair of the Chief Information Officers (ao) Council. 
Subsequently, in a February 1997 series of reports to the Congress, gao 
designated information security as a new govemmentwide high-risk area.^ 
More recently, in its March 31,1998, report on the federal government's 
consolidated flnancuU statements, gao reported that widespread computer 
control deficiencies also contribute to problems in federal financial 
management because they diminish confidence in the reliability of 
financial maitagement data.’ 


Results in Brief 


The expanded amount of audit evidence that has become available since 
mid-19% describes widespread and serious weaknesses in the federal 
government’s ability to adequately protect (1) federal assets from fr:aud 


'*lMuet ind TrendK 1998 CSl/FB! CcKnputer Crime and Security Survey,’ March 4,199S. 


*Hi<h Risk Serlea: InformaCon Management and TechnoloC' (GAOi'HR-97e, February 1997). 


’Financial Audit: 1997 CoruoUdated Financial Statements of the United States Government 
(GA(VAIUfrWll27; liGTc'K JTIHB):- 
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and misuse, (2) sensitive infonmation from inappropriate disclosure, and 
(3) critical operations, including some affecting public safety, from 
disruption. Significant information security wealoiesses were reported in 
each of the 24 largest federal agencies, with iiuidequately restricted access 
to sensitive data being the most widely reported probleln. This and the 
other types of weaknesses identified place critical government operations, 
such as national defense, tax collection, law enforcement, and benefit 
payments, as well as the assets associated with these operatiotvs, at great 
risk of fraud, disruption, and iiu^propriate disclosures. In addition, many 
intrusions or other potentially malicious acts could be occurring but going 
undetected because agencies have not implemented effective controls to 
identify suspicious activity on their networks and computer systems. 

Individual agencies have not yet done enough to effectively address these 
problems. Specifically, agency officials have not instituted procedures for 
ensuring that risks are fiilly understood and that controls implemented to 
mitigate risks are effective. Implementing such procedures as part of a 
proactive, organization-wide security management program is essential in 
today's interconnected computing environments. 

Similarly, agency performance in this area is not yet being adequately 
managed from a govemmentwide perspective, although some important 
steps have been taken. The cio Council, under omb’s leadership, designated 
information security as a priority area in late 1997 and, since then, has 
taken some steps to develop a preliminaiy strategy, promote awareness, 
and identify ways to improve a federal incident response program 
developed by the National Institute of Standards and Technology (nist). In 
May 1^, Presidential Decision Directive (pdd) 63 on critical 
infrastructure protection was issued, pdd 63 acknowledged computer 
security as a national security risk and established several entities within 
the National Security Council, the Department of Commerce, and the 
Federal Bureau of Investigation to address critical infrastructure 
protection, including federal agency information infrastructures. At the 
close of GAo’s review in August 1998, it was too early to determine how the 
Directive’s provisions would be implemented and how they would relate 
to other ongoing efforts, such as those initiated by the cio Council. 

What needs to emerge is a coordinated and comprehensive strategy that 
incorporates the worthwhile efforts already underway and takes 
advantage of the expanded amount of evidence that has become available 
in recent years. The objectives of such a strategy should be to encourage 
agency improvement efforts and measure their effectiveness through an 
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ai^ropriate level of oversight This will require a more structured 
approach for (1) ensiirlrtg that risks are hilly understood, (2) promoting 
use of the most costreffecdve control techniques, (3) testing and 
evaluating the effectiveness of agency programs, and (4) acting to address 
identiDed deficiencies. This approach needs to be appU^ at Individual 
departments and agencies and in a coordinated fashion across 
government 


Principal Findings 


Significant Weaknesses at Audit reports issued from March 1096 through August 1998 identified 
24 M^or Agencies Place significant information security weaknesses in each of the 24 agencies 
Critical Operations at Risk covered by the analysis. The most widely reported type of weakness was 

poor control over access to sensitive data and systems. This type of 
. weakness makes it possible for an individual or group to inappropriately 
modify or destroy sensitive data or computer programs or inappropriately 
obtain or disclose confidential information for malicious purposes, such as 
personal gain or sabotage. In today’s increasingly interconnected 
computing envirorunent, poor access controls can expose an agency's 
information and operations to attacks fr^m remote locations all over the 
world by individuals with minimal computer and telecommunications 
resources and e:q>ertise. 

These weaknesses place a broad range of critical operations and assets at 
great risk of fraud, ndsuse, and disruption. For example, weaknesses at 
the Department of Defense increase the vulnerability of various military 
operations that support the Department’s warfighting capability, and 
weaknesses at the Department of the Treasury increase the risk of fraud 
associated with billions of dollars of federal payments and collections. 

In addition, information securiD^ weaknesses place an enormous amount 
of highly sensitive data at risk of inappropriate disclosure. For example, 
weaknesses at agencies such as the Internal Revenue Service, the Health 
Care Financing Admirdstration, the Social Security Admiidstration, and the 
Department of Veterans Affairs place sensitive tax, medical, and other 
personal records at risk of disclosure. 

As significant as these reported weaknesses are, it is likely that the full 
extent of control problems at individual agencies has not yet surfaced 
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because key areas of controls at many agencies have not been assessed. In 
particular, agency managers, who are primarily responsible for ensuring 
adequate security, have not hilly evaluated the adequacy of their 
computer-based controls. In addition, audits at most agencies have not yet 
fully covered controls associated with operating system software, which 
are critical to the security of all of the applications the systems support In 
agencies where this control area was reviewed, weaknesses were always 
identified. 


Iitiproved Security 
Program Planning and 
Management Needed at 
Individual Agencies 


Poor security program planning and management continue to be 
fundamental problems. Agencies have not yet developed effective 
procedures for assessing computer security risks, determining vdUch risks 
are significant, assigning responsibility for taking steps to reduce risks, 
and eiuuring that these steps remain effective. Security planning and 
management deficiencies were reported for 17 of the Zi agencies included 
in GAO's aiudysis and numerous recommendations have been made to 
address qiecific agency deficiencies. 

To identity potential solutions to this problem, gao studied the security 
management practices of eight organi^ons known for their superior 
security programs. These organizations included two financial institutions, 
a retailer, an equipment manufacturing company, a state uiUversity, a state 
agency, a regiottal electric utility, and a computer vendor, gao found that 
these organizatiorrs numaged their information security risks through a 
cycle of risk marragement activities, and it identified 16 specific practices 
that supported these risk marugement principles. 

These practices involve (1) establishing a central security numagement 
focal point, (2) assessing risk, (3) selecting and implementing 
cost-effective policies and controls, (4) promoting awareness, and 
(5) continually evaluatirrg and improving control effectiveness. They also 
emphasize the importance of viewing information security program 
martagement as an integral component of managing agency operatioru and 
of involving both program numagers and teclmical experts in the process. 

GAO published the findings ftom this study in the May 1998 executive guide 
Infonnation Security Maimgement; Learning FVom Leading Organizatiorts 
(GA0/AiMt>a»«8), which has been endorsed by the Federal ao Council. The 
guide's findiir^ are summarized in chapter 3 of this report 
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The security maruigement practices described in gao’s executive guide are 
most likely to be successful if they are implemented as part of broader 
improvements to iitformation technology management. Such 
improvements are underway across government due to specific 
information technology maitagement reforms mandated by the Paperwork 
Reduction Act amendments of 1995 and the Clinger-Ckihen Act of 1996. 


Initiatives to Improve 
Central Coordination and 
Management Need to 
Provide a Comprehensive 
Strategy 


Individual agencies are primarily responsible for the security of their 
information resources, but central management also Is important to 

(1) eivsure that federal executives understand risks to their operations, 

(2) morutor agency performance in mitigating these risks, (3) facilitate 
implementation of any needed improvements, and (4) address issues that 
affect multiple agencies. Under the Paperwork Reduction Act, this 
oversight responsibility lies with omb. 


Since September 1996 when gao reported that omb needed to strengthen 
its oversight of agency practices, the cio Council, under omb's leadership, 
has become a component of the administration's efforts to address federal 
information security problems and has taken some actions in this regard. 
Specifically, during 1997, the Council designated iifformation security as 
one of six priority areas and, late in the year, established a Security 
Committee. Since then, the Committee has (1) developed a preliminary 
plan for addressing various aspects of the problem, (2) established Lnks 
with other federal entities involved in security issues, (3) held a security 
awareness day for federal cios, deputy cios, and security officers, and 
(4) developed plans for reorienting the Federal Computer Incident 
Response Capability (Fedcmc), a program initiated by NiST to assist 
agencies in improving their security incident resporvse capabilities and 
other aspects of their security programs. 

In addition, omb has continued to monitor selected agency system-related 
projects, many of which have significant security implications. However, 
neither omb nor the ao Council has yet developed a program for 
comprehettsively overseeing and managing the security of critical federal 
operations by ensuring that agency programs are adequately evaluated and 
tlut the results are used to measure and prompt improvements, as 
recommended in gao’s September 1996 report. 


Concurrent with omb and cio Council efforts during late 1997 and early 
1998, the administration developed and issued pdd 63 in response to 
recommendations made by the President’s Commission on Critical 
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Infrastructure Protection. The Directive acknowledges computer security 
risk as a tuUioruil security risk, addresses a range of national infrastructure 
protection issues, and includes several provisions intended to ensure that 
critical federal computer, or “cyber-bas^,* systems are protected from 
attacks by our nation's enemies. Also, it establishes a National Coordinator 
for Security, Infrastructure Protection, and Counter-Terrorism, who 
reports to the President through the Assistant to the President for Natiotud 
Security Affairs; a Critical Infrastructure Coordination Group; and a 
Critical Infrastructure Assurance Office within the Department of 
Commerce. The Directive outlines planned actions pertaining to federal 
information security, which include: 

• requiring each federal department and agency to develop a plan for 
protecting its own critical infrastructure, including its cyber-based 
systems; 

• reviewing existing federal, state, and local entities charged with 
information assurance tasks; 

• enhancing collection and aiudysis of information on the foreign 
information warfare threat to our critical iitfiastructures; 

• establishing a National Infrastructure Protection Center within the Federal 
Bureau of Investigation to facilitate and coordinate the federal 
goverrunent's investigation and response to attacks on its critical 
infrastructures; 

• assessing U.S. Govenunent systems’ vulnerability to interception and 
exploitation; and 

• incorporatirtg agency iidrastnicture assiuance functions in agency 
strategic plarming and performance measurement frameworks. 

Though some of these efforts have begun, at this early stage of 
implementation, it is unclear how the provisions outlined in the Directive 
will be implemented aiKl how they will be coordinated with other related 
efforts, such as those of the cio Council. 


Conclusion 


Since September 1996, the need for improved federal information security 
has received increased visibility and attention. Important efforts have been 
initiated to address this issue, but more effective actions are needed both 
at the individual agency level and at the govemmentwide level. Many 
aspects of the recommendations gao made in September 1996 are still 
applicable. In particular, a comprehensive govemmentwide strategy needs 
to be produced. The cio Council’s efforts during late 1997 and the first half 
of 19%, as well as issuance of pod 63 in May 1998, indicate that senior 
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federal officials are increasingly concerned about information security 
risks, both to federal operations as well as to privately controlled national 
infrastructures, and are now moving to addre^ these concerns. 
(Coordinated efforts throughout the federal commimity, as envisioned by 
FDD 63, will be needed to successfully accomplish the objectives of these 
efforts and substantively improve federal irrformation security. It is 
especially important that a govemmentwide strategy be developed that 
clearly defines and coordiruUes the roles of new and existing federal 
entities in order to avoid mappropriate duplication of effort and ensure 
govenunentwide cooperation and support 


Reconunendation 


GAO recommends that the Director of omb and the Assistant to the 
President for Natioiul Security Affairs ensure that the various existing and 
newly initiated efforts to improve federal information security are 
coordinated under a compreheirsive strategy. Such a strategy should 

ensure that executive agencies are carrying out the responsibilities 
outlined in laws and regulations requiring them to protect the security of 
their information resources; 

clearly delineate the roles of the various federal orgairizations with 
responsibilities related to information sectuity; 
identify and rank the most significant information security issues facing 
federal agencies; 

promote irdbrmation security risk awareness among senior agency 
officials whose critical operations rely on automated systems; 
identify and promote proven security tools, techniques, and nunagement 
best practices; 

ensure the adequacy of information technology workforce skills; 
ensure that the securify of both financial and nonfinancial systems is 
adequately evaluated on a regular basis; 

include long-term goals and objectives, including time frames, priorities, 
and annual performance goals; and 

provide for periodically evaluating agency performance from a 
govenunentwide perspective and acting to address shortfalls. 


Agency Comments 
and Our Evaluation 


In commenting on a draft of this report, omb’s Acting Deputy Director for 
Management stated that omb and the ao Council, workuig with the 
National Security Council, have developed a plan to address the pdd 63 
provision that the federal government serve as a model for critical 
infrastructure protection and to coordinate the new requirements of the 
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FDD with the existing requirements of the various laws pertaining to 
federal infonnation security. The comments further stated that the plan is 
to develop and promote a process by which government agencies can 
(1) identify and assess their existing security posture, (2) implement 
security best practices, and (3) set in motion a process of continued 
maintenance. Also described are plans for a ao Council-sponsored 
interagency security assist team that will review agency security programs. 
Regarding our conclusion that many aspects of the recommendations in 
our September 1996 report are still applicable, omb reiterated its concern 
that the 1996 report's ‘‘overemphasis on omb’s role could distract program 
managers in the Federal agencies from their primary responsibility for 
assuring irdormation security.” The full text of omb‘s comments is 
reprinted in appendix ID. 

omb's comments indicate that it, the cio Council, and the Natioital Security 
Council are moving to coordiirate their resportsibilities and beginning to 
develop the comprehensive strategy that is needed. Based on the 
description provided, the plans being developed include several key 
elements, most notably a meairs of evaluating agency performance. These 
plans were still being fiiudized at the close of our work and were not yet 
available for our review. Accordingly, we are not able to comment on their 
content, scope, and detail, or whether they will be effective in improving 
federal information security. 

Regarding omb's concern that we have overemphasized its role, we agree 
that agency managers are primarily responsible for the security of their 
operations. Increased attention and support from central oversight, if done 
effectively, should not distract agencies from their responsibilities in this 
area. On the contrary, active oversight of agency performance is more 
likely to have the effect of emphasizing the agency managers' 
accountability and providing more visibility for agencies that are achieving 
their irrformation assurance goals as well as those that are falling short. 
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Chapter 1 _ 

Introduction 


This report provides a summary aiulysis of recently reported information 
security weaknesses at federal agencies aiKl describes marugement 
practices that federal agencies can adopt to help improve their seciuity 
programs. It also describes centralized efforts to oversee and marrage 
federal information security from a govenunentwide perspective. 

The vulnerabilities associated with our rurtion's reliance on intercormected 
computer systems are a growing concent At the federal level, such 
systems process, store, and transmit enormous amounts of sensitive data 
and are indispensable to many federal agency operations. Because of the 
importance of establishing and maintaining adequate security over federal 
operations. Senators FVed Thompson and John Glenn, Chairman and 
Ranking Minority Member, respectively, of the Senate Committee on 
Governmental Affairs, have undertaken an effort to address the various 
marugement, technical, and operational aspects of this problem. As part of 
that effort, they requested that we (1) summarize the effectiveness of 
federal information security, based on recently issued audit reports, 

(2) describe actioru agencies can take to improve their security programs, 
and (3) evaluate actions taken by the Office of Maruigement and Budget 
(OMB) and the federal Chief Irrformation Officers (ao) Council to address 
federal information security problems. This resulting report is one of 
several reviews that Chairman Thompson and Senator Gletui have 
requested as part of their ongoing oversight of federal irdbimation security 
and other aspects of information technology management Related gao 
reports are listed in appendix I. 


Computers and 
Electronic Data Are 
Indispensable to 
Federal Operations 


Federal agencies perform important functions that are essential to the 
national welfare and directly affect the lives of millions of individuals 
everyday. More and more, these functions, which include national defense, 
tax collection, import control, benefits payments, and law enforcement, 
depend on automated, often interconnected, systems and on electronic 
data rather than on manual processing and paper records. The benefits of 
this shift are increasingly obvious—information can be processed quickly 
and communicated almost instantaneously among federal offices, 
departments, and outside orgaidzations and individuals. In addition, vast 
amounts of data are at the disposal of anyone with access to a personal 
computer, a modem, and telephone. 

However, the government’s increasing reliance on interconnected systems 
and electronic data also increases the risks of finud, inappropriate 
disclosure of sensitive data, and disruption of critical operations and 
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services. The same factors that benefit federal operations—speed and 
accessibility—also make it possible for individuals and organizations to 
inexpensively interfere with or eavesdrop on these operations from 
remote locations for purposes of fi^ud or sabotage, or other malicious or 
mischievous purposes. Threats of such actions are increasing, in part, 
because the number of individuals with computer skills is increasing and 
because intrusion, or "hacking,* techniques have become readily 
accessible through magazines and on computer bulletin boards. In 
addition, natural disasters and iimdvertent errors by authorized computer 
users can have devastating consequences if information resources are 
poorly protected. 

Gauging the risk is difficult because summary data on computer security 
incidents and related damage are incomplete. However, in an October 
1997 report entitled Critical Foundations: Protecting America’s 
Infirastructures , the President’s Commission on Critical Infrastructure 
Protection described the potentially devastating implications of poor 
information security from a national perspective, noting that computerized 
interaction within and among infitistructures has become so complex that 
it may be possible to do harm in ways we caimot yet conceive. According 
to a recent statement by the Director of the National Security Agency, 
attacks on public and private systems occur everyday. For example, in 
February 1998, hackers used tools and teclmiques readily available on 
Internet bulletin boards to attack systems at the Department of Defense. 
Media reports on intrusions, fhtud, and sabotage abound, and, in a recent 
survey conducted by the Computer Security Institute in cooperation with 
the Federal Bureau of Investigation, 64 percent of the 520 respondents 
fix)m the private and public sector reported computer security breaches 
within the last 12 months. This is a l&percent increase in security 
breaches over those reported in a similar survey in 1997 and a 22-percent 
increase over those reported in 1996.' 

To guard against such problems, federal agencies, like other 
computer-dependent organizations, must take steps to understand their 
information security risks and implement policies and controls to reduce 
these risks. Specifically, federal agencies must protect the integrity and, in 
some cases, the confidentiality of the enormous amounts of sensitive data 
they maintain, such as personal information on individuals, financial 
transactioits, defense inventories, operational plans, and regulatory 
inspection records. In addition, they must take steps to ensure that 


'*I»ues and Trends 1998 CSI/FBI Computer Crime and Security Survey,' March 4,1996. 
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computerized operations supporting critical government functions are not 
severely disrupted. 


Previous Reports 
Have Identified 
Significant Security 
Problems 


Although the government's reliance on computers and 
telecommunications has been rapidly growing, reports over the last few 
years indicate that federal operations and data are inadequately protected 
and that these problems are serious and pervasive. In September 1996, we 
reported that, since September 1994, serious weaknesses had been 
r^rted for 10 of the largest 16 federal agencies.^ In that report we 
concluded that poor information security was a widespread federal 
problem with potentially devastating consequences, and we recommended 
that OMB play a more proactive role in overseeing agency practices and 
maiuging improvements, in part through its role as chair of the cio 
Council. Subsequently, in February 1997, in a series of reports to the 
Congress, we designsded information security as a new govemmentwide 
high-risk area.^ Most recently, in our March 31,1998, report on the federal 
government's consolidated fiiumcial statements, we reported that 
widespread and serious computer control weaknesses affect virtually all 
federal agencies and significantly contribute to many material deficiencies 
in federal financial management* In that report, we also noted that these 
weaknesses place enormous amounts of federal assets at risk of fraud and 
misuse, fiirancial data at risk of uimuthorized modification or destruction, 
seruitive information at risk of inappropriate disclosure, and critical 
(^rations at risk of disruptioa 

During 1996 and 1997, federal information s^^curity was also addressed by 
the President's Conunission on Critical Infrastructure Protection, which 
had been established to investigate our nation's vulnerability to both 
“cyber" and physical threats. In its October 1997 report. Critical 
Foundatiotts: F^tecting America's Infrastructures , the Commission 
described the potentially devastathig implications of poor information 
security from a national perspective. The report also recognized that the 
federal government must ‘lead by example,” and included 
recommendatiorts for improving government systems security, expediting 
efforts to facilitate the use of encryption, developing risk assessment 


Information Secuiity: Opportunitiea for Improved OMB Ovcratiiht of Ajtency Practices 

(GA(VAlMMfrlliJ:iSi*fe'«.1W5). - - - 

*High Rialt Series; Information Management and Technology (GAOWt-OTe, February 1997). 
^FUtandal Audit 1997 ConaoUdated Fteaitctal Statements of the United States Government 

(CAtVUMDWlS?, 31. IMS).- 
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methods, measuring performance, and elevating threat assessments as a 
foreign intelligence priority. 

A number of factors contribute to poor federal information security 
including insufiQcient awareness and understanding of risks, a shortage of 
staff with needed technical expertise, a lack of systems and security 
architectures to facilitate implementation and numagement of security 
controls, and various problems associated with the availability and use of 
specific technical controls and monitoring tools. All of these are 
important; however, an underlying theme that was identified in our 
September 1996 report is a lack of security program management and 
oversight to eivsure that risks are identified and addressed and that 
controls are working as intended. 


Responsibilities 
Outlined in Laws and 
Guidance 


The need to protect sensitive federal data maintained on autonmted 
systems has been recognized for years in various laws and in federal 
guidance. The Privacy Act of 1974, as amended; the Paperwork Reduction 
Act of 1980, as amended; and the Computer Security Act of 1987 all 
contain provisions requiring agencies to protect the confidentiality and 
integrity of the sensitive information that they maintain. The Computer 
Security Act (Public Law 100-236) defines sensitive information as “any 
information, the loss, misuse, or unauthorized access to or modification of 
which could adversely affect the national interest or the conduct of 
Federal programs, or tlie privacy to which individuals are entitled under 
the Privacy Act, but which has not been specifically authorized under 
criteria established by an Executive Order or an Act of Congress to be 
kept secret in the interest of natioiul defense or foreign policy.” 


In accordance with the Paperwork Reduction Act of 1980 (Public Law 
96-611), OMB is responsible for developing information security policies 
and overseeing agency practices. In this regard, omb has provided guidance 
for agencies in omb Circular A-130, Appendix m, “Security of Federal 
Automated Information JResources.” Since 1986, this circular has directed 
agencies to implement an adequate level of security for all automated 
information systems that ensures (1) effective and accurate operations 
and (2) continuity of operations for systems that support critical agency 
functions. The circular establishes a minimum set of controls to be 
included in federal agency information system security programs and 
requires agencies to periodically review system security. Responsibility for 
developing techidcal standards and providing related guidance for 
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sensitive data belongs primaiily to the National Institute of Standards and 
Technology (nist), under the Computer Security Act 

The Clinger-Cohen Act of 1996 recently reemphasized omb, nist, and 
agency responsibilities regarding information security under a broader set 
of requirements aimed at improving information technology management 
in general. In particular, the act stipulated that agency heads are directly 
responsible for information technology mairagement including eivsuring 
that the information security policies, procedures, and practices of their 
agencies are adequate. The act also required the appointment of a cio for 
each of the 24 largest federal agencies to provide the expertise needed to 
implement needed reforms. Subsequently, in July 1996, the President 
established the ao Council, chaired by omb, to address govenunentwide 
technology issues and advise omb on policies and standards needed to 
implement legislative reforms. Council members include aos and Deputy 
CIOS from each of the mrOor agencies. 

The adequacy of controls over computerized data and the numagement of 
these controls are also addressed Indirectly by the following additional 
laws: 

• TTie Federal Managers’ Flirancial Integrity Act (fmfta) of 1982 requires 
agency matragers to aimually evaluate their internal control systems and 
report to the President and the Congress any material weaknesses that 
could lead to fraud, waste, and abuse in goverrunent operatioivs. 

• The Chief Financial Officers (cro) Act of 1990, as expanded by the 
Government Management Reform Act of 1994, requires agency cpos to 
develop and maintain financial management systems that provide 
complete, reliable, consistent, and timely information. Under the act, 
nuyor federal agencies prepare annual financial statements and have them 
audited by their respective inspectors general. In practice, such audits 
generally include evaluating and testirrg controls over the security of 
automat^ fiiumcial maruigement systems. 

• The Federal Fmancial Management Improvement Act of 1996 requires 
auditors to report whether agency financial management systems comply 
with certain established firumcial management s>'stems requirements, omb 
guidance to agency cfos and igs lists these systems requirements, which 
include security over financial systems provided in accordance with omb 
Circular A-130, Appendix IE, “Swurity of Federal Automated Information 
Resources." Agency managers are responsible for developing remediation 
plans to address the problems noted by the auditors. 
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• The Government Peifomumce and Results Act of 1993 requires agencies to 
establish goals for program performance, measure results, and report 
armually on program performance to the President and the Congress. 

In May 1998, Presidential Decision Directives 62 and 63 established 
additional requirements for ensuring protection of our nation’s critical 
irifrastructures fiom both physical and “cyber," or computer-based, 
threats. At the close of our fieldwork in August 1998, it was too early to 
determine how these directives would be implemented. However, the 
provisions pertairting to federal agency information security that are 
specified in Directive 63 are summarized in chapter 4. Presidential 
Decision Directive 62, which pertairu to counter-terrorism responsibilities, 
is classified and, therefore, is not discussed in this report. 


Objectives, Scope, 
and Methodology 


The objectives of this report are to 

describe the extent of federal ird’ormadon security problems and the 
associated risks based on reports issued since March 1996, — 

identify management, actioiis that could effect significant and long-term 
improvements in information security at the individual agency level, and 
evaluate governmentwide efforts to improve information security, 
especially actiorts taken since September 1996 by omb andihe cio Council, 
and identify needed additioital actions. 

To describe the extent of information security problems and associated 
risks, we analyzed findings fiom over 80 gao and agency reports, including 
iitspector general (lo) reports, issued fiom March 1996 through 
September 1998. These included some reports for which distribution has 
been restricted because they discuss sensitive aspects of agency 
operations. Although we considered the results of these restricted reports 
when developing sununary data on agency weaknesses, the related 
findings are not discussed in detail nor the agency identified. 'The reports 
we considered pertained to the 24 federal departments and agencies 
covered by the CFO Act Together these departments and agencies 
accounted for about 99 percent of the total reported federal net outlays in 
fiscal year 1997. The reports we analyzed, excluding those that are 
restricted, are listed in appendixes I and II. 

In analyzing reported findings, we categorized them into six basic areas of 
general control: security program planning and martagement, access 
control, application program change control, segregation of duties, 
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operating systems security, and service continuity. These six areas of 
general controls provide a framework for comprehensively evaluating 
mformation security. 'Rie six categories are defined and described in 
cluster 2. 

To identify management actions that could effect fundamental 
improvements in security at individual agencies, we summarized the 
results of our recent study of Information security program management 
practices at leading organizations. We performed this study because 
previous audits had shown that poor security program management was 
an underlying cause of information security control weaknesses. In 
May 1998, we published the results of this study as an executive guide 
entitled Information Security Management: Learning From Leading 
Organizations ^^OAO/AiMD-ases). 


To assess omb’s leadership and coordination of federal information 
security efforts, we met with officials from omb’s Office of Information and 
Regulatory Affairs to discuss their activities related to information security 
and progress on recommendations made in our report Information 
Security: Opportunities for Improved omb Oversight of Agency Practices 
(GAO/AiMD-96-110, September 24,1996). We also discussed the iifformation 
security-related activities of the federal ao Council with members of the 
Council’s Security Committee and reviewed related documentation, such 
as meeting minutes and the cto Council’s January 1998 govemmentwide 
strategic plan for information resources management 

We also obtained and reviewed Presidential Decision Directive 63, which 
was issued May 22,1998, late in our review. This directive specifies 
requirements for protecting our nation’s critical iiffi^tructures and 
Includes provisions pertaining to federal agency mformation security. 

Our review was conducted from December 1997 through August 1998 in 
accordance with generally accepted government auditing standards. One 
of the reports we relied on, va Information Systems: Computer Control 
Weaknesses Increase Risk of Fraud, Misuse, and Improper Disclosure 
(gao/aim[>8S-175), is being Issued in September 1998. However, a complete 
draft was available at the close of our review in August omb provided 
written corrunents on a draft of this report, which are discussed in the 
‘Agency Comments and Our Evaluation’’ section in chapter 4 and 
reprinted in appendix IK. 
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Related GAO Efforts 


In addition to this report, we have worked with the Congress, primarily the 
Senate Committee on Governmental Afiairs, to pursue a comprehensive 
strategy for addressing the federal infomiation security problems. This 
strategy involves supplementing our audit work with research projects and 
other actions to promote and provide sxippoit for federal efforts in this 
area. This strategy comprises the following activities: 


• To assess the effectiveness of federal information security and assist the 
Congress in its oversight role, we are continuing to perform audits at 
selected individual agencies and develop specific recommendations for 
improvement Some of these evaluations are performed as part of our 
financial statement audits at individual agencies and some pertain to 
nonfinancial missiorvcritical systems. 

• To assist agency Inspectors general in conducting or arranging for 
information security audits, we began an extensive effort during 1997 to 
evaluate such audit efforts at each of 24 nuOor federal agencies. We 
performed, and will continue to perform, this work in conjunction with 
oiv armual audits of the consolidated financial statements of the federal 
goverrunent, which are required under the cro Act as expanded by the 
Government Management Reform Act At many of these agencies, we have 
provided extensive on-site guidance to the inspector general staff to 
ensure that we could rely on their audit conclusions. 

• To promote more comprehensive audits of federal information security, in 
August 1997, we issued an exposure draft of our Federal Irdbrmation 
System Controls Audit Manual (CACVAMD-itias), which describes a 
methodology for evaluating federal agency information security programs. 
This methodology has guided our own audit work for several years and 
Iras recently been adopted by many agency inspectors general. 

• To assist in improving the expertise of federal audit staff, we have engaged 
contractors and partnered with organizations, such as the Information 
Systems Audit and Control Association, to offer technical training sessions 
for GAO and lo staff involved in evaluating computer-based controls. 

• To promote a broader understanding among Meral managers of the 
practices that make an information security program successful, during 
1997, we studied the practices of eight nonfederal organizations and 
developed an executive guide that summarizes the results. This guide, 
entitled Information Security Management Learning From Leading 
Organizations (gao/aimivos«8) was published in May 1998. We are now 
working with agencies, including omb, and the CK> Council to encourage 
agencies to implement these practices. 

• To promote more effective central leadership, oversight, and coordiruttiotr, 
we are continuing to monitor and work with omb, the ao Council, nist, and 
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others with a govenunentwide role regarding information security, 
including entitles established under Presidential Decision Directive 63 to 
protect our luttion’s critical Infrastructures. 

• To assist the Congress, we are continuing to provide status reports on 
infor>nation seciuity as a higlHrisk issue and information on related topics, 
as requested. 
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Significant Weaknesses Identified at All 
Mgjor Agencies 


Evaluations of computer security published since March 1996 present a 
disturbing picture of the federal goveininent's lack of success in protecting 
its assets from fraud and misuse, sensitive information from inappropriate 
disclosiure, and critical operations frx>m disnq>tion. Significant information 
security weakness were identified in each of the 24 agencies covered by 
our analysis—agencies that in fiscal year 1997 accounted for 99 percent of 
reported federal net outlays. These weaknesses place a broad range of 
critical operations and assets at risk for flraud, misuse, and disruptioa In 
addition, they place an enormous amount of highly sensitive data, much of 
it on individual taxpayers and beneficiaries, at risk of inappropriate 
disclosure. 

Weaknesses were reported in a variety of areas that we have categorized 
into six areas of‘general controls.” General controls are the policies, 
procedures, and technical controls that apply to all or a large segment of 
an entity’s Information systems and help ensure their proper operation. 

'The most widely reported weakness was poor control over access to 
servsitive data and systems. This type of weakness makes it possible for an 
individual or group to inappropriately modify, destroy, or di^lose 
sensitive data or conqiuter programs for purposes such as personal gain or 
sabotage. In today's increasingly interconnected computing environment, 
poor access controls can expose an agency’s information and operations 
to attacks fix>m remote locations all over the world by individuals with 
mitlimal computer and telecommunications resources and expertise. 

The full extent of control problems is not known because all six of the 
general control areas were reviewed at only 9 of the 24 agencies. In 
particular, most audits have not yet covered controls associated with 
system software, which are critical to the security of all applications 
supported by a system. In agencies where this control area was reviewed, 
weaknesses were always found, as shown in table 1. 

Table 1 provides an overview of the types of weaknesses reported 
throughout the govenunent, as well as the gaps in audit coverage. The 
pages following Table 1 describe (1) the risks these weaknesses pose to 
mryor federal operations and (2) common types of deficiencies identified 
in each of the six general control categories. 
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Tabt* 2.1: Areas of Information 

Security Weaknaae Reported for the 24 
Largest Agenelea 

Oeneral control area 

Number of agendas 
Signiflcent No slgnMcant 

Mantlflad WantHled 

Atm not 

rovtowod 


Entitywide security program 
planning and management 

17 

0 

7 


Access controls 

23 

0 

1 


Application software development 
and change controls 

14 

4 

6 


Segregation of duties 

16 

1 

7 


System software controls 

9 

0 

15 


Senrice continuity controls 

20 

0 

4 


Note: Mott o( the audits used to develop this table were performed as part of financial statement 
audits. At some agencies with primarily financial-related misaiotM. such as the Departmertt of the 
Treasury and the Social Security Administration, these audHs covered Ihe bulk of mistiorvrelaied 
operations. However, at odier agencies whose mitaiont ara primarily nonlinanclal. such u the 
Departments of Defense and Justice, the audits used to develop this table may provide a less 
complete picture of the agency’s overall security posture because the audit objectives focused 
on the financial statements and dtd not includs evaluating systems supporting nonfinancial 
operations. Nevertheless, at agencies where computer-based controls over nonfinancial 
operations have been audited, similar weaknesses have been identified. 


Examples of 
Weaknesses at 
Individual Agencies 
Highlight Risks 


To understand the significance of the weaknesses sununarized in table 1, it 
is necessary to liitk them to the risks they present to federal operations 
and assets, ^%tually all federal (q[>eration8 are supported by automated 
systems and electronic data, and agencies would find it difficult, if not 
impossible, to carry out their missions aiKl account for their resources 
without these information assets. Descriptions of reported weaknesses 
and related risks to selected nuvjor federal operations follow. 


Depanment of the The Department of the Treasury, which includes the Internal Revenue 

IVeasury Service; U.S. Customs Service; Bureau of the Public Debt; Financial 

Maruigement Service; and Bureau of Alcohol, Tobacco, and Firearms; 
relies on computer sys^rns to process, collect or disburse, and account 
for over a trillion dollars in federal receipts and payments aimuaUy. In 
addition, tlie department’s conq>uters handle enormous amounts of highly 
sensitive data associated with taxpayer records and law enforcement 
operations and support operations critical to financing the federal 
government, maintainirtg the flow of benefits to individuals and 
organizations, and controlling imprxts and exports. 
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Department of Defense 


Protecting these operations and assets is essential to the welfare of our 
nation. However, weaJcnesses have been reported for several of Treasury’s 
nuOor bureaus, and, in some cases, these weaknesses have been 
outstanding for years. For example: 

• In March 1998, the Treasury IG reported that deficiencies in the 
effectiveness of computer-based controls in multiple bureaus constituted a 
material weakness in the department's internal control structure and 
increased the risk that unauthorized individuals could intentionally or 
inadvertently add, alter, or delete sensitive data and programs.' 

• In three 1997 reports,* we identified a wide range of continuing serious 
weaknesses in IRS systems, including inadequate controls over employee 
browsing of taxpayer records, an area that has received considerable 
attention for several years and was recently addressed by legislation 
specifying penalties for such browsing.* 

• In March 1998, the Treasury ig reported Customs Serv.ce weaknesses 
associated with systems supporting trade, financial management, and law 
enforcement functions. Many of these weaknesses had been reported 
armually since 1994.^ 

Numerous recommendations have been made to Treasury bureaus over 
the years to correct these weaknesses, and many corrective actions are 
underway. In particular, IRS recently began a broad effort to strengthen its 
overall security program by centrali^g responsibility for security issues 
within a newly created executive-level office and increasing investments in 
physical security. Further, the Financial Management Service concurred 
with our recommendations and is developing corrective action plans. 


The Department of Defense (dod) relies on a vast and complex 
information mfiastructure to support critical operations such as designing 
weapons, identifying and tracking enemy targets, paying soldiers, 
mobilizing reservists, and managing supplies. Indeed, its very warfighting 


'Report on the Department ofthe Treasuty's Fiscal Year 1997 Custodial Schedules and Administrative 
Statements (OlG-98-066, March 30.1998), as included in the Department of the Treasury’s 
Accountability Report for Fiscal Year 19^. 

IRS Systems Security Tax Proceaslng Operations and Data Still ^5?!* Pue to Serioia Weaknesses 
(GACy/UMD. 97 .^ 9 , April 8.1997); Flnanciai Audit ExytUn^on of IRS' Fiscal Vear AdriunisgiBve 
Financial Statements (GACVAIMD.97.89, August 29,1997); Financial Audit Exarnination of IRS' Fiscal 
Vear 1900 Gustodial Financial Statements (GA0/A1MD^18, December 24,190'i). 


*raxpayer Browsing Protection Act (Public Law 105-35). 

'Department of the Treasury’s Inspector General Report Report on the U.S. Customs Service’s Fiscal 
Years 1997 and 1996 Financial Statements (OI&OB^, March 5,1698). 
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capability is dependent on computer-based telecommunications networks 
and information systems. Defense's computer systems are particularly 
susceptible to attack through connections on the Internet, which Defense 
uses to enhance communication and information sharing. 

In May 1996, we reported that attacks on Defense computer systems were 
a serious and growing threat^ The exact number of attacks could not be 
readily determined because tests showed that only a small portion were 
actually detected and reported. However, the Defense Information 
Systems Agency estimate that attacks numbered in the hundreds of 
thousands per year, were successful 65 percent of the time, and that the 
number of attacks was doubling each year. At a minimum, these attacks 
are a multimillion dollar nuisance to Deferue. At worst, they are a serious 
threat to national security. According to Defense officials, attackers have 
obtained and corrupted sensitive information—they have stolen, modified, 
and destroyed both data and software. They have installed unwanted files 
and “back doors" which circumvent normal system protection and allow 
attackers unauthorized access in the future. They have shut down and 
crashed entire systems and networks, denying service to users who 
depend on automated systems to help meet critical missions. Numerous 
Defense functions have been adversely affected, including weapons and 
supercomputer research, logistics, finance, procurement, personnel 
management, mUitaiy health, and payroll. In March 1998, dod aimounced 
that it had recently identified a series of organized intrusions, indicating 
that such events continue to be a problem. 

The same weaknesses that allow attacks from outsiders could also be 
exploited by authorized users to commit fraud or other improper or 
malicious acts. In fact, a knowledgeable insider with malicious intentions 
can be a more serious threat to many operations since he or she is more 
likely to know of system weaknesses and how to disguise inappropriate 
actions. 

Subsequent reports have identified a broad array of specific control 
weaknesses that increase the risks of damage from such attacks, as well as 
from malicious acts and inadvertent mistakes by authorized users. For 
example, in September 1997, we reported that Defense had not adequately 
(1) controlled the ability of computer progranuners to make changes to 
systems supporting the Military Retirement Trust Fund, (2) controlled 
access to sensitive information on pension fund participants, or 


‘Infomution Security: Computer Attacks at Department of Defense Pose Increasinji Risks 
(CA<VAlMD-d&ir May 22, idM).- - - - 
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(3) developed or tested a comprehensive disaster recovery plan for the 
sites that process Fund data. 'Diese weaknesses expose sensitive data 
maintained by these systems to unnecessary risk of disclosure and, should 
a disaster occur, there is no assurance that the operations supported by 
these facilities could be restored in a timely manner.* Similarly, In 
October 1997, the Defense ic reported serious authentication and access 
control weaknesses associated with a system that, in fiscal year 1996, 
maintained contract administration and payment data associated with a 
reported 387,000 contracts for which the reported value was over 
$810 billion.^ Weaknesses in other areas, too sensitive to be reported 
publicly, pose risks of more serious consequences. 

Reports to [X)D have included numerous recommendations related to 
specific control weaknesses as well as the need for improved security 
program management dod is taking a variety of steps to address these 
problems and is establishing the Departmentwide Information Assurance 
Program to improve and better coordinate the information security-related 
activities of the military services and other dod components. 


Department of Health and in August 1997 and April 1998, the Health and Human Services (hhs) ig 
Human Services reported serious control weaknesses affecting the reliability, 

confidentiality, and availability of data throughout the department* Most 
significant were weaknesses associated with the Department's Health Care 
Financing Administration (hcfa), which, according to its reports, was 
responsible for processing health care claims for over 38 million 
beneficiaries and expending 84 percent of hhs’ $340 billion fiscal year 1997 
budget HCFA relies on extensive data processing operations at its central 
office and about 60 contractors using multiple shared systems to collect, 
analyze and process personal health, financial, and medical data 
associated with about 853 million Medicare claims, armually. 

In the 1997 report, the IG reported that Medicare contractors were not 
adequately protecting confidential personal and medical information 
associated with claims submitted. As a result, contractor employees could 
potentially browse data on individuals, search out information on 


'nnand«l Miugtmen t Rfview of the Miliuiy Retirement Tout Fund's Actuanal Modtl and RelMtd 
Computer ConOw (GA(VAlMP-y/-lM, September 9, Wt). 

'Generul and Applicatio n Controls Over the Mechanization of Contract Administration Services 
System , DODIG, Report Number 9S007', October 19ft7. 

^Report o n the Flnandal Statement Audit of the Department of Health and Human Services for Fiacal 
Year 1996 fA-17.9&eodi. August 29.1997!) and fteptm on t he hnancial Statement Audit of the 
PepaitmentofHealthandHuman ^rviceafof Ftocal Year (A-lT-SSOOdl, April 1.1998). 
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acquaintances or others, and, possibly, sell or otherwise use this 
information for personal gain or malicious purposes. Similar conditions 
were reported in 1998. 

In the 1998 report, the ic reported that data security remained a m^uor 
concern at hcfa’s central office. Auditor’s tests showed that although hcfa 
corrected weaknesses found in the prior year, it was possible to gain 
access to the mainframe database and modify managed care production 
files. In addition, the ic found that users without specific authorization 
could potentially gain update access to those same files. Further, as 
reported in 1997 and 1998, because controls over operating system 
software were ineffective, knowledgeable individuals could surreptitiously 
modify or disable security controls without detection. 

In both its 1997 and 1998 reports, the re recommended that (1) systems 
access be properly controlled, pas vords be granted consistent with 
assigned responsibilities, and passwords be periodically changed, 

(2) application development and program change control procedures be in 
place to protect against unauthorized changes, (3) computer-related duties 
be properly segregated, and (4) service continuity plans be kept current 
and periodically tested, hhs has recognized the need to protect the security 
of information technology systems and the data contained in them. 

Starting in 1997, hhs began to revise security policies and guidance and 
required each mtOor operating division to develop and implement 
corrective action plans to address each m^or weakness identified in tlie 
August 1997 report. 


Social Security The Social Security Administration (ssa) relies on extensive information 

Administration processing resources to carry out its operations, which, for 1997, included 

payments that totaled $390 billion to 50 million beneficiaries. This 
represents about 25 percent of the $1.6 trillion in that year's federal 
expenditures. The administration also issues social security numbers and 
maintains earnings records and other personal information on virtually all 
U. S. citizens. According to ssa, no other public program or public-service 
entity directly touches the lives of so many people. 

The public depends on ssa to protect trust fund revenues and assets from 
fraud and to protect sensitive information on individuals from 
inappropriate disclosure. In addition, many current beneficiaries rely on 
the uninterrupted flow of monthly payments to meet their basic needs. 
However, in November 1997, the Social Security Administration IG 
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reported widespread weaknesses in controls over access, continuity of 
service, and software program chattges that unnecessarily place these 
assets and operadotts at risk.* 

Access control weaknesses exposed the agency and its computer systems 
to external and internal intrusion, thus subjecting sensitive ssa information 
to potential unauthorized access, modification, or disclosure. Other 
weaknesses increased risks of introducing errors or irregularities into data 
processirrg operations and allowed some individuals to bypass critical 
controls, such as authorization and supervisory review. 

Such weaknesses increase the risk that an individual or group could 
fraudulently obtain payments by creating fictitious beneficiaries or 
increasing payment amounts. Similariy, such individuals could secretly 
obtain sensitive Information and sell or otherwise use it for persorud gain. 
The recent growth in “identity theft," wher^ personal information is stolen 
and used fraudulently by impersonators for purposes such as obtaining 
and using credit cards, has created a market for such information. 
According to the ssa io‘s September 30,1997, report to the Congress 
(included in the ssa’s fiscal year 1997 Accountability Report), 29 crimirud 
convictions involving ssa employees were obtained during fiscal year 1997, 
most of which involved creating fictitious identities, firaudulently selling 
SSA cards, rtdssppropriating refunds, or abusing access to confidential 
information. 

In two separate letters issued to ssa management, the ic and its contractor 
made recommendations to address the weaknesses reported in 
November 1997. ssa agreed with the miOority of the recommendations in 
the first letter and has developed related corrective action plarvs. The 
Administration is still reviewing the second set of recommendations and 
plarming related corrective actions. 


Department of Veterans The Department of Veterans Affairs (va) relies on a vast array of computer 
Affairs systems and telecommunications networks to support its operatiorrs and 

store the sensitive information the department collects in carrying out its 
mission. In September 1998, we reported that general computer control 
weaknesses placed critical va operations, such as financial numagement, 
healthcare d^ety, benefit payments and life insurance services at risk of 


^SocUI SecuiUy Accounttbility Rtport for FtoaJ Yew 1807 , SSA Pub. Na 31-231, November 1997. 


Pace 19 


0A(yAlia>-9fr«l PeCeraJ laTonaadoB Seewity 





157 


Ckapterl 

Slfallicaat WmIbcmm IdeatUled at All 
MiOmAccmIm 


misuse and disruption.*** In addition, sensitive information contained in 
va's systems, includiiig financial transaction data and personal information 
on veteran medical records and benefit payments, was vulnerable to 
Inadvertent or deliberate misuse, fraudulent use, improper disclosure, or 
destruction—possibly occurring without detection. 

VA operates the largest healthcare delivery system in the United States and 
guarantees loans on about 20 percent of ^e homes in the country. In fiscal 
year 1997, va spent over $17 billion on medical care and process^ over 
40 million benefit payments totaling over $20 billion. The depa rtment also 
provided insurance protection through more than 2.6 million policies that 
represented about $24 billion in coverage at the end of fiscal year 1997. In 
addition, the va systems support the department’s centralized accounting 
and payroll fiinctions. In fis<^ year 1997, va’s payroll was almost 
$11 billion, and the centralized accounting system generated over 
$7 billion ^ additional payments. 

In our report, we noted significant problems related to the departments 
control and oversight of access to its systems, va did not adequately limit 
the access of authorized users or effectively manage user identifications 
and passwords. The department also had not established effective controls 
to prevent individuals, both internal and external, firom gaitdirg 
unauthorized access to va systems, va’s access control weaknesses were 
further conqrounded by ineffective procedures for overseeing and 
monitorirrg systems for unusual or suspicious access activities. 

In addition, the department was not providing adequate physical security 
for its computer facilities, by not assigning duties in such a way as to 
segregate incompatible functions, controlling changes to powerful 
operating system software, or updating and testing disaster recovery plans 
to prepare its computer operations to maintain or regain critical fimctioiu 
in emergencies. Many of these access and other general computer control 
weaknesses were sii^ar to weaknesses that had been previously 
identified by va’s Office of Inq>ector General and consultant evaluations. 

A primaiy reason for va’s continuing general computer control problems is 
thiu the department does not have a comprehensive computer security 
plaruiing and management program. An effective program would include 
guidance and procedures for assessiitg risks and mitigating controls, and 
monitoring and evaluating the effectiveness of established controls. 
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In our report to va, we recommended that the Secretary direct the ao to 
(1) work with the other va aos to address all identified computer control 
weaknesses, (2) develop and implement a comprehensive departmentwide 
computer security planning and management program, and (3) monitor 
and periodically report on the status of improvements to computer 
security throu^out the department. In commenting on this report, va 
agreed with these recommendations and stated that the department would 
Immediately correct the identified computer control weaknesses and was 
developing plans to correct deficiencies previously identified by the va ig 
and by internal evaluations. 


Department of State in May 1998, we reported that the Department of State did not have a 

program for compn‘hensively managing the information security risks 
associated with its many sensitive operations." State relies on numerous 
decentralized information systems and networks to carry out its 
worldwide responsibilities and support business hmctions. Unclassified 
data stored in these systems are sensitive and make an attractive target for 
individuals and organizations desiring to learn about and damage State 
operations. For example, computerized information on Americans and 
Foreign Service Nationals, such as personnel records, pay data, private 
health records, and background investigation information about 
employees beir^g ccmsidered for national security clearances could be 
useful to foreign governments wishing to build personnel profiles, and its 
disclosure might uiuiecessatily endanger State en^loyees. 

Despite its reliance on computers. State (1) lacked a central security 
maruigement group to oversee and coovdiriate security activities, (2) did 
not routinely perform risk assessments so that its sensitive information 
could be protected based on its sensitivity, criticality, and value, (3) relied 
on a primary irrformation security policy document that was outdated and 
incomplete, (4) did not adequately ensure that computer users were hilly 
aware of risks and of their responsibilities for protecting sensitive 
information, and (5) lacked key controls for monitoring and evaluating the 
effectiveness of its security program, including procedures for reqxmding 
to security incidents. 

We also noted that State’s information systems and the information 
contained within them were vulnerable to access, change, disclosure, 
disruption or even denial of service by uruuithorized individuals. Our 
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penetration testa, which were designed to determine how susceptible 
State’s systems were to unauthorized access, revealed that it was possible 
to access sensitive Informatioa Flirther, these tests went largely 
urtdetected, ftuther underscoring the department's serious vulnerability. 
As a result, iiKlividuals or organizations seeking to damage State 
operations, commit terrorism, or obtain fiiuincial gain could possibly 
exploit the department's information security weaknesses. 

In our report to State, we made a variety of recommendations directed 
toward improving the department’s management of its information 
security efforts and assi^ing State in developing a comprehensive 
iitformation security program. State formally acknowle^ed weaknesses in 
its information security maiuigement and generally agreed with our 
recoirunendations. Senior State managers say that their commitment to 
improving information security has increased but that hilly implementing 
our recoirunendations will require time and resources. 


In September 1997, the Department of Justice ig reported serious 
departmentwide computer-based control weaknesses that Jeopardized a 
number of sensitive cgierations.'^ Access controls were weak over files 
supporting various operations at the Federal Bureau of Investigation, Drug 
Eiiforcement Administration, Immigration and Naturalization Service, and 
the U.S. Marshals Service. User passwords were not required to be 
changed, security software was not configured to prevent access by 
inactive users, system programmers had been inappropriately provided the 
ability to make numerous types of modifications to files that would allow 
them to circumvent security crmtrols or assist others in such actions. 
Program change control procedures for system and application software 
were not formally documented or uniformly followed, iiKieasing the risk 
that uiuuithoiized software changes or unintentional errors could be 
made. Further, the ig reported that the department did not have a plan to 
recover primary systems, critical data processing applications, or key 
business processes in the event of a disaster. An underlying problem was 
that written security policies and procedures were outdated and did not 
define the roles and re^nsibilities of maruigers and others with security 
responsibilities. The DqMrtment of Justice management agreed with the 
findings and has stated that each departmental component will work with 
Justice's CIO to develop corrective a^ons. 
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Examples of risks at other agendas include the following: 

• In May 1968, we reported that weak computer secuil^ practices at the 
Federal Aviation Administration (paa) Jeopardize fli^t safety. faa's air 
trafDc control network is an enormous, coir^ilex collection of interrelated 
systems, including navigation, surveillance, weather, and automated 
information processing aikl diq)lay systems that reside at, or are 
associated with, hundreds of facilities. All the critical areas induded in our 
review—facilities physical security, operational systems information 
security, ftiture systems modernization security, and management 
structure and policy implementation were ineffective. For eruunple, in the 
physical security area, a March 1997 iivspection of one facility that controls 
aircraft disclosed 13 physical security weaknesses, including uiumthorized 
persoimel being granted unescorted access to restricted areas, paa is 
uttaware of the weaknesses and vulnerabilities that may currently exist at 
other locations because the agency has not assessed the physical seciuity 
controls at 187 facilities since 1993. When we met with paa officials in late 
July 1998, they acknowledged that mrtjor improvements are needed in all 
areas of paa’s security program and discussed preliminary efforts to 
address most of our recommendatioirs. 

• In April 1997, the Department of Trairsportation’s IG identified multiple 
security exposures in the Department's extended wide area network 
which connects hundreds of local area networks and 50,000 computer 
workstations that support operations throughout the department, 
includiitg the Federal Aviation Administration, Federal Highway 
Administration, United States Coast Guard, Federal Railroad 
Administration, NaUoiud Highway Safety Tiaffic Administration as well as 
DOT headquarters.'^ 

• In ^ril 1997, the Department of Housing and Urban Development’s ig 
identified a varied of weaknesses that affected systems critical to 
supporting all facets of the department’s operations, including providing 
(1) housing subsidies for low and moderate income families, (2) grants to 
states and conunuidties, and (3) direct loans for construction and 
rehabilitation of housing projects.'* In particular, weaknesses associated 
with an application that annually processed over $9 billion in 
disbursements increased the risk of over or underpayments to housing 


'’Air TVafflc Control: Weak Cocnputer Security Piacticca Jeopardize FUght Safety (GAOfAlMD-66-166 
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authorities, Inaccurate budget projections, and users nudiciously enterii\g 
unauthorized transactions for payments. 

• In July 1997, the audit of the Department of Education’s fiscal year 1996 
and 1995 financial statements reported access control weaknesses in the 
Payment Management System, which controlled disbursements of over 
128 billion annually. As a result, unauthorized users could potentially have 
accessed confidential data, changed data, made urututhorl^ payments, or 
disabled the system." 

• In April 1997, the Department of the Interior’s to reported" that the Bureau 
of Indian Affairs’ had not implemented an effective system security 
program for the Bureau’s nu^r and sensitive mainfii^e applications, 
including the Land Records Infonnation System and the Individual Indian 
Monies System, that processed i^proximately 2.5 million transactions 
weekly. In particular, the Bureau had inadequate (1) access controls over 
the mainframe computer's, (2) software development and change controls, 
and (3) segregation of duties for the systems support functions, including 
data administration, data security, and quality assurance/testing. In 
addition, a service continuity plan had not been developed and the off-site 
storage facility was not secure or envirorunentally protected. 

• In March 1997, the Department of Commerce Inspector General reported 
material weaknesses at several Commerce Bureaus. For example, the 
Economic Development Administration, which managed all billion grant 
program in fiscal year 1997, did not adequately segregate programming 
responsibilities or adequately restrict access to its informatio. systems. 
In^propriately segregated duties can lead to implementation of 
unauthorized or inadequately tested programs. Further, unrestricted 
access can lead to accidental or intentional changes to program data." 

Recommended corrective actions have been provided to each of these 
agencies, and many have begun to implement them. 


**0.8. Deoartment or Education FUc«lYe*n 1886 and 1986 Financial Statementa and Accofnpanyinit 
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"Audit Report on Gen eral Controla Over Automated Infonnation Syatema, Operationa Service Center, 
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Although Nature of 
Risks Vary, Control 
Weaknesses Across 
Agencies Are Similar 


Although the nature of agency operations and the related risks vary, there 
are striking similarities in the specific types of general control weaknesses 
reported and in their serious negative in^)act on an agency’s ability to 
ensure the integrity, availability, and appropriate confidentiality of its 
computerized operations. In many cases, agencies have devel(^>ed policies 
atul begun to iinplement control techniques that could provide effective 
security. However, they have tK>t yet done enough to ensure that these 
policies arid controls remain effective on an ongoing basis. The following 
sections describe each of the six areas of general controls aird the q)eclfic 
weaknesses that were most widespread at the agencies covered by our 
analysis. 


Entitywide Security 
Program Planning and 
Management 


Each organization needs a set of maiugement procedures and an 
organizatiotud firamework for identifying and assessing risks, deciding 
what policies and controls are needed, periodically evaluating the 
effectiveness of these policies and controls, aixl acting to address airy 
identified weaknesses. These are the fundamental activities that allow an 
organization to manage its information security risks cost effectively, 
rather than reactiitg to iiwlividual problems ad hoc only after a violation 
has been detected or an audit fiiKUng has been report^ 

Despite the importance of this aq)ect of an information security program, 
we found that poor security planrdng and maiugement was a widespread 
problem. Of 17 agertcies where this aspect of security was reviewed, all 
had deficiencies. Many agencies had not developed security plaiu for 
mivlof systems based on risk, had not formally documented security 
p<^cies, and had not implemented a program for testing and evaluatirtg 
the effectiveness the controls they relied oa Examples include the 
foUowiitg. 

• In August 1997, the ic at the Department of Health and Human Services 
reported that the Health Care Firundng Agency had not reviewed internal 
controls or devdoped security plaru for its computer center, 
tdeconununlcations network^ or significant applications. Further, it did 
tK)t have a coruistent set of policies for overseeing the effectivetress of 
security at its contractor locations.'* 

• In July 1997, the Department of the Treasury IG repotted that the Bureau (tf 
Alcohol, Tobacco atKl Firearms had not developed formal policies, 
standards, and procedures; had not established a formal program for 
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security awareness and training; and had not identified all of its nuOoi’ 
applications.** 

• In A|»il 1997, we reported that the Internal Revenue Service needed to 
strengthen computer security management and that its approach to 
computer security was not effective in preventing serious and persistent 
computer security control weaknesses that exposed tax processing 
oper^ons to the serious risk of disruption and taxpayer data to the risk of 
uiuuithorized use, modification, aitd destruction.^' 

• In May 1997, independent auditors recommended that the Office of 
Persoiuiel Management develop security plans, identuy system owners, 
atKl require periodic Indepeitdent reviews of security controls.*’ 

• In May 1996, we repotted that the Department of Defense needed to 
establish a more comprehensive iifformation systems security program. 
%>ecific weaknesses included (1) outdated and incomplete policies for 
deteclittg stkI reacting to computer attacks, (2) lack of awareness among 
computer users, and (3) inadequately trained system and network 
administrators.** 

As a result of these types of deficiencies, agencies (1) were iK>t fully aware_ 
of the information security risks to their operations, (2) had accept^ an 
unknown level of risk by default rather thw consciously deciding what 
level of risk was tolerable, (3) had a Cslse sense of security because they 
were relying on controls th^ were not effective, and (4) could not make 
informed Judgmoits as to whether they were ^pending too little or too 
much of their resources on security. Security program management is 
discussed in greater detail in chapter 3. 


Access controls limit or detect inai^n^riate access to computer 
resources (data, equipment, and fiidlities) thereby protecting these 
resources against unauthorized modification, loss, and disclosure. Access 
controls include physical protections, such as gates and guards, as well as 
logical controls, which are controls built into software that (1) require 
users to authenticate themselves through the use of secret passwords dr 
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other identiflerB aiu) (2) limit the files and other resources that an 
authenticated user can access and the actions that he or she can execute. 
Without adequate access controls, unauthorized individuals, including 
outside intruders or terminated employees, can surreptitiously read and 
copy sensitive data and make undetected changes or deletions for 
malicious purposes or personal gain. In addition, authorized users could 
unintentionally modii^ or delete data or execute changes that are outside 
of their span of authority. 

. For access controls to be effective, they must be properly implemented 
and maintained. Fbst, an organization must analyze the responsibilities of 
individual computer users to determine what type of access (e.g., read, 
modify, delete) they need to ftilfiU their responsibilities. Then, specific 
control techniques, such as specialized access control software, must be 
implemented to restrict access to these authorized functions. Such 
software can be used to limit a user’s activities associated with specific 
systems or files and to keep records of individual users' actions on the 
computer. Finally, access authorizations and related controls must be 
maintained and arUusted on an ongoing basis to accommodate new or 
terminated employees and changes in users’ responsibilities and related 
access ireeds. 

Access control weaknesses were reported for all 23 of the agencies for 
which this area of controls was evaluated. Specific common problems 
included the following. 

• Managers had not precisely identified access needs for individual users or 
groups of users. Inikead, they had provided overly broad access privileges 
to very large groups of users. As a result, far more individuals than 
necessary had the ability to browse and, sometimes, modify or delete 
sensitive or critical information. At one agency, for instance, a number of 
intercormected systems with very poorly implemented access controls 
were accessible flrom remote locations by anyone who had the telephone 
number for the supporting network. Because access controls associated 
with both the network atul the systems were weak, an anonymous intruder 
could easily have dialed into the network, accessed any one of several 
systems, arid committed ai\y number of malicious actions, including 
reading, modifying, arid deleting both data and other users’ access rights 
and severely disrupting service. At another agency, 90 employees could 
change amounts available to grantees and contractors associated with an 
$8 billion grant program 
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• Access was not appropriately authorized and documented. For example, at 
one agency, user access was vertudly requested and approved and no 
related doimmentatlon was maintained. 

• Usen shared accounts and passwords or posted their passwords in plain 
view, making it impossible to trace specific transactions or modifici^ons 
to an individual. Also, use of default, easily guessed, and unencrypted 
passwords significantly increased the tl^k of unauthorized access. 

• Software access controls were improperly implemented, resulting in 
unintended access or gaps in access control coverage. For example, at one 
agency locatiort, any one of 17,000 system users could search, view, and 
print information in ai\y of the other users* print files because access to 
temporary files holding users’ output was not adequately restricted. 

• User activity was not adequately monitored to deter and identiiy 
irupprc^riate acdotvs, and when suspicious activity was noticed, it was 
oft^ rtot investigated nor the perpetrator penalized. For example, records 
of user activity, referred to as audit logs, were either not maintained, not 
maintained in a useable format, or were too volumirrous to be practical. As 
a result, it was either rrot possible or practical to review these logs to 
identify iruqrpropriate actions and link any such actions to individual 
users. Such monitoring is especially important to prevent users with 
access to sensitive data from inappropriately browsing data that do not 
pertain to the work at hand and to identic activity indicating an intrusion 
into a network or systm. However, tests showed that most attacks at this 
agency were not detected and reported. 

• Access was not pronqrtlytermirrated when users either left the agency or 
arUustcd when their resportsibilities no longer required them to have 
access to certain files. In addition, inactive user identificatiotvs were not 
routinely Identified and deleted. As a result, contractors and former 
employees who were no longer associated with the agency, could still 
read, modify, copy, or delete data, and employees who chimged positions 
within an agency histd access to files that were not needed in their new 
positions. For example, at one location, autonrated controls were set to 
allow former employees access for 90 days after their employment had 
termirtated. 

To illustrate the risks associated with poor authentication and access 
controls, in recent years, we have begun to incorporate penetration testing 
into our audits of information securify. Such tests involve attempting to 
gain unauthorized access to sensitive files and data by searching for ways 
to circumvent existirrg controls, often flrom remote locations. 

Unfortunately, our auditors have been successful, in almost every test, in 
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readily gaining unauthorized access that would allow intruders to read, 
modify, or delete data for whatever purpose they had in miiul. 


Application Software Application software development and change controls prevent 

Development and Change unauthorized software programs or modifications to programs firom being 
Controls implemented. Key aspects of such controls are ensru^ that (1) software 

changes are pit^iierly authorized by the managers responsible for the 
agency program or operations that the application supports, (2) new and 
modified software programs are tested and approved prior to their 
implementation, and (3) approved software programs are maintained in 
carefully controlled libraries to protect them firom unauthorized changes 
and ensure that different versions are not misidentified. 

Such controls can prevent both errors in software programming as well as 
malicious efforts to insert unauthorized computer program code. Without 
adequate controls, incompletely tested or unapproved software can result 
in erroneous data processing that, depending on the application, could 
lead to losses or outcomes. In addition, individuals could 
surreptitiously modify software programs to include processing steps or 
features that could later be exploited for personal gain or sabotage. 

The effectiveness of software change controls is of particular concern as 
agencies design, test, and implement changes to ensure that their 
computer aottwaie will properly handle the year-2000 date change. As the 
end of the millennium approaches, agencies are under increasing pressure 
to ensure that their computers can distinguish between the year 1000 and 
the year 2000, since many use only the last two digits when identiiying 
years. In an effort to accomplish these changes on time, agencies may be 
forced to speed up their software change process and increase their 
reliance on newly hired persormel or contractors. In such an environment, 
it will be especially important to ensure that software changes are 
properly tested and approved before they are implemented 

Weaknesses in software program change controls were identified for 14 of 
the 18 agencies where such controls were evaluated The most common 
types of weaknesses in this area included the following; 

• Testing procedures were undisciplined ajnd did not ensure that 
implemented software operated as intended. For example, at one agency, 
chimges were made directly to software programs in operation rather than 
in a separate and controlled test environment, increasi^ the i!sk that 
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erroneous or unauthorized software would result in miscalculations of 
pension liability. 

• Implementation procedures did not ensure that only authorized software 
was used. In particular, procedures did not ensure that emergency 
changes were subsequently tested and formally approved for continued 
use and that implementation of “locally-developed” unauthorized software 
programs was prevented or detected. 

• Access to software program libraries was inadequately controlled. For 
example, at one agency, most system users—over 13,000 individuals—had 
the ability to modify application programs that processed millions of 
dollars in financial transactions. At another agency, approximately 16,000 
users had unrestricted access to application programs, which allowed 
tiiem to modify and delete programs and data. 


Segregation of duties refers to the policies, procedures, and organizational 
structure that help ensure that one individual cannot independently 
control all key aspects of a process or computer-related operation and 
thereby conduct unauthorized actions or gain unauthorized access to 
assets or records without detection. For example, one computer 
programmer should not be allowed to independently write, test, and 
{qiprove program changes. 

Although segregation of duties, alone, will not ensure that only authorized 
activities occur, inadequate segregation of duties increases the risk that 
erroneous or fraudulent transactions could be processed, that improper 
program changes could be implemented, and that computer resources 
could be damaged or destroy^. For example, 

• an individual who was independently responsible for authorizing, 
processing, and reviewing payroll transactions could inappropriately 
increase payments to selected individuals without detection; or 

• a computer programmer responsible for authorizing, writing, testing, and 
distributing program modifications could either inadvertently or 
deliberately implement computer programs that did not process 
transactions in accordance with management’s policies or that included 
malicious code. 

Controls to ensure appropriate segregation of duties consist mainly of 
documenting, communicating, and enforcing policies on group and 
individual responsibilities. Enforcement can accomplished by a 
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combination of physical and logical access controls and by effective 
supervisoiy review. 

Segregation of duties was evaluated at 17 of the 24 agencies covered by 
our analysis. Weaknesses were identified at 16 of these agencies. Common 
problems involved computer programmers and operators who were 
authorized to perform a wide variety of duties, thus providing them the 
ability to independently modify, circumvent, and dis^le system security 
features. For example, at one data center, a single individual could 
independently develop, test, review, and approve software changes for 
implementation. Segregation of duty problems also were identified related 
to transaction processing. For example, at one agency, all users of the 
financial maruigement system could independently perform all of the steps 
needed to initiate and complete a payment—obligate funds, record 
vouchers for payment, and record checks for payment—making it 
relatively easy to make a firaudulent payment. 


System Software Controls System software controls limit and monitor access to the powerful 

programs and sensitive files associated with the computer systems 
operation. Generally, one set of system software is used to support and 
control a variety of implications that may run on the same computer 
hardware. System software helps control and coordirukte the input, 
processing, output, and data storage associated with all of the appUcatiotvs 
that run on the system. Some system software can clumge data and 
program code on files without leaving an audit trail or can be used to 
modify or delete audit trails. Examples of system software include the 
operating system, ^tem utilities, program library systems, file 
maintenance software, security software, data communications systems, 
and database management systems. 

Controls over access to and modification of system software are essential 
in providing reasonable assurarkce that operating system-based securify 
controls are not compromised and that the system will not be impaired. If 
controls in this area are inadequate, unauthorized individuals mi^t use 
system software to circumvent security controls to read, modify, or delete 
critical or sensitive information and programs. Also, authorized users of 
the system may gain unauthorized privileges to conduct unauthorized 
actions or to circumvent edits and other controls buUt into iq>plication 
programs. Such weaknesses seriously diminish the reliability of 
information produced by all of the iq)plications supported by the conq>uter 
system and increase the risk of fraud, sabotage, and inappropriate 


Pascal 


GACVAHIMS-M Pea«ral ImtonutOom Scewity 






Ckapterl 

SlCaiflcMt WMkMMM I4tatill«d U AU 


« 

disclosures. Further, system software programmers are often more 
technically proficient than other data processing personnel and, thus, have 
a greater ability to perfonn ui\authorized actions if controls in this area are 
weak. 

The control concerns for system software are similar to the access control 
issues and software program change control issues discussed earlier in 
this section. However, because of the high level of risk associated with 
system software activities, most entities have a separate set of control 
procedures that apply to them. 

Operating system software controls were covered in audits for only 9 of 
the 24 agencies included in our review. However, problems were identified 
for all 9 agencies, illustrating the importance of reviewing operating 
system controls. A common type of problem reported was insufficiently 
restricted access that made it possible for knowledgeable bidividuals to 
disable or circumvent controls in a wide variety of ways. For example, at 
one facility, 88 Individuals had the ability to implement projpams not 
controlled by the security software and 103 had the abiUty to access an 
unencrypted security file containing passwords for authorired users. 


Service Contiliuity Service continuity controls ensure that, when unexpected events occur. 

Controls critical operations continue without undue interruption and critical and 

sensitive data are protected. For this reason, an agency should have 
(1) procedures In place to protect information resources and minimize the 
r^k of unplaruied interruptions and (2) a plan to recover critical 
operatiorts should interruptions occur. These plaris should consider the 
activities performed at general 8iq[>pc;t facilities, such as data processing 
centers, as well as the activities performed by users of specific 
applicatioru. To determine whether recovery plaru will work as intended, 
they should be tested periodically in disaster simulation exercises. 

Although often referred to as disaster recovery plans, controls to ensure 
service continuity should address the entire range of potential disruptions, 
lliese may include relatively minor interruptions, such as temporary 
power failures or accidental loss or erasing of files, as well as major 
disasters, such as fires or ludural disasters that would require 
reestablishing operations at a remote location. 

Losing the capability to process, retrieve, and protect it>formation 
maintained electronically can sigidficantly affect an agency’s ability to 


r«ce 4t 


OACVAllil>-S$-9S fcdcnl loTbimatioa Secvitr 






170 


CkaH*rl 

Slf»Uiea*t WMkMMM IitoatUM; a All 
M^tor AgCBclM 


accomplish its mission. If controls are inadequate, even relatively minor 
interruptions can result in lost or incorrectly processed data, which can 
cause financial losses, expensive recovery efforts, and inaccurate or 
itKomplete fiirancial or management information. Service continuity 
controls include (1) taking steps, such as routinely making backup copies 
of files, to prevent and minimize potential damage and interruption, 

(2) developing and docrunenting a comprehensive contingency plan, and 

(3) periodically testing the contii^ency plan and adjusting it as 
appropriate. 

Service continuity controls were evaluated for 20 of the agencies included 
in our analysis. Weaknesses were reported for all of these agencies. 
Common weaknesses included the following: 

• Plaivs were incomplete because operations and supporting resources had 
not been fiiUy analyzed to determine which were the most critical and 
would need to be resumed as soon as possible should a disruption occur. 
For example, one agency had identified critical workloads arid processing 
priorities that would ne^ to be resumed and supported after a disruption 
but had not identified the specific software needed for users to perform 
their Jobs. Such iirformation could be difficult to compile in the conftision 
that would be likely.after a nuOor disruptive event 

• Disaster recovery plans were not ftUly tested to identify their weaknesses. 
One agency’s plan was based on an assumption that key personnel could 
be contacted within 10 minutes of the emergency, an assumption that had 
not been tested. 


Conclusion important operations at every msijor federal agency are at some type of 

risk due to weak information security controls. There are marry specific 
causes of these weaknesses, but many result from poor security program 
management and poor admirristration of available control techniques. 

The audit reports dted in this chapter iiKlude numerous 
reconunend^ons to individual agencies that address the specific 
weaknesses reported. For this reason, we are making rm additional 
recommendati(M)s to these agertcies in this report However, our executive 
guide, Infonnation Security Marmgement Learning From Leading 
Oganizations (CAtVAiMD-saes), discusses the results of our recent study of 
information security best practices and outlines a number of principles 
and practices that could aud>le federal agencies to implement mote 
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effective information security programs. Chapter 3 summarizes the 
principles outlined in the executive guide. 
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Need for Improved Security Program 
Planning and Management at Individual 
Agencies 


Although auditors can provide periodic independent assessments of 
agency (^rations, ultiinately it is agency management that is req>onsible 
for enkuing that internal controls, including information security controls, 
are apprc^riately selected and effectively implemoited on an ongoing 
basis. In ^tember 1996, we reported that an underlying cause of poor 
federal information security was that many agencies had not instituted a 
framework for proactively managing the informaticm security risks 
associated with their operations.' Instead, there was a tendency to react to 
individual audit findings as they were reported, with little ongoing 
attention to the eystemic causes of control weaknesses. Siitce then, as 
discussed in chapter 2, additional audits have identified the same 
underlying problem. Security program planning and management 
deficiencies were repotted for 17 of the 24 agencies included in our 
analysis. In particular, agencies were not adequately assessing risks and 
monitoring control effectiveness. 

To identify potential solutions to this problem, during 1997, we studied the 
security marugement practices of eight nonfederal organizations known 
for their superior seciuity programs. We fouitd that these organizations 
. numaged their information security risks through a cycle of risk 
maitagement activities, and we identified 16 specific practices that 
supported these risk management principles. These findings were initially 
published as an exposure draft in November 1997. Subsequently, they 
were published in May 1998 in an executive guide entitled Information 
Security Management- Learning From Leading Organizations 
(GAO/AMDaMs). The guide is generally consistent with omb and nist 
guidance on information seciuity program management, and it has been 
endorsed by the cio CouncU as a useftd resource for agency managers. The 
guide’s major points are summarized below. 


Best Practices 
Provide a Framework 
for Improvement 


Our study of information security management practices identified a 
ftindamental set of management principles and 16 q>ecific practices. 
Together, these principles and practices constitute a cycle of activity for 
managing risk. 


The Risk Management 
Cycle 


The risk marugement cycle, as depicted in figure 3.1, begins with an 
assessment of risk and determination of needs, including selecting 
cost-effective policies and related controls. Once policies and controls are 
decided on, they must be implemented. Then, policies and controls, as 
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well as the risks that prompted their adoption, must be communicated to 
those responsible for complying with them. Fiiudly, and pertiaps most 
importantly, there must be procediues for evalua^ the effectiveness of 
policies and related controls and reporting the resulting conclusions to 
those who can take appropriate corrective action. Also, our study found 
that a strong central security management focal point can help etvsure that 
the mftjor elements of the risk management cycle are carried out and serve 
as a communications link among organizatioruil units. This cycle of 
activity, coordinated by a central focal point, can help ensure that existing 
controls are effective and that new, more advanced control techniques are 
prudently and effectively selected and implemented. 


Figure 3.1: The Risk Management 
Cycle 



The elements of the risk management cycle are not new. They have been 
described in various ways in omb and nist guidance and in various other 
guides on information security and internal controls. Nevertheless, as 
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basic as these principles are, audits continue to show that nuuvy federal 
agaicies have not in^lemented this cycle of activity. 

One possible cause for this deficiency is that some senior agency officials, 
like many private sector executives, may be Just begiiming to realize how 
critical th^ information resources are to their program operations and 
may not fully understand that security weaknesses present formidable 
risla to mission-related operations. Another reason is that maintaining 
adequate information security can be difficult The complicated and 
technical nature of many of ttw risks and controls requires that 
organizations adopt more defined processes than are needed to manage 
other types of internal controls. These defined processes are needed to 
ensure that personnel with the right mix of expertise are involved in risk 
management decisions; that all pertinent factors are considered; that the 
effectiveness of controls, especially technical controls, is reliably 
evaluated; and that the results of these evaluations and their potential 
effects on critical operations are clearly reported to senior officials. 

Within this basic risk management cycle, we identified 16 practices that 
were key to the effectiveness of an information security program. A brief 
description of these practices, organized according to the five elements of 
the risk management cycle, follows. A more detailed description 
accompanied by case examples can be found in our executive guide. 


Assess Risk and Determine 
Needs 


Practice 1: Recognize 
Information Resources as 
Essential Organizational Assets 


Organizations that have become heavily dependent on computers, 
electronic data, and telecommunications to conduct their a^vities must 
recognize that these information resources are critical assets, essential to 
supporting business operations. Information protection should be viewed 
as an integral element of operational management and strategic plaiuUng. 
In particular, senior executives must understand the importance of data 
and systems and be willing to devote an appropriate level of resources to 
protecting these assets. 


Practice 2: Develop Practical 
Risk Assessments Hiat Link 
Security to Business Needs 


Security needs should be based on risk, and this requires some 4q)e of risk 
assessment Various methods can be used, firom rel^vely informal 
discussions to complex analyses. Key success factors are that risk 
assessments 
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Practice 3: Hold Program and 
Business Managers 
Accountable 


Practice 4: Manage Risk on a 
Continuing Basis 


• be required and Involve defined minimum procedures; 

• involve a mix of individiials with knowledge of business operations and 
technical aspects of the organization’s systems; 

• rank, but not necessarily precisely quantiiV, risks; 

• require sign-off by business managers indicating agreement with risk 
reduction decisions and acceptance of the residual risk; and 

• result in documentation that is provided to more senior officials and 
internal auditors, so that participants can be held accountable for their 
decisions. 

Primary responsibility for managing risk should rest with business or 
program managers because they are in the best position to determine what 
the business impact of a loss of integrity, confidentiality, or availability of 
information resources would be. The security specialists, on the other 
hand, should play more of an educational and advisory role. However, they 
should not hesitate to elevate discussions to higher levels if they believe 
that inappropriate risk management decisions are being made. 

Risk must be continuously reassessed because the factors that affect 
risk —threats, technology, known vulnerabilities, and the sensitivity of 
the operations being supported—frequently change. 


Establish a Central 
Management Focal Point 

P*ractice 6: Designate a Central Central security management groups can ensure that the various elements 
Group to Carry Out Key of the risk management cycle are implemented. They can also serve as a 

Acti\'ities conduit for communicating information across organizational lines and 

from outside sources. 


Practice 6; Provide the Central Regardless of their organizational position, an organization’s central 
Group Ready and Independent security manager must feel that he or she can comfortably raise issues to 
Access to Senior Executives higher levels. Independent access to senior executives allows senior 

security managers to provide an objective assessment of security needs 
and gives them the clout to be effective throughout their organizations. 


Practice 7: Designate Dedicated Central groups should have defined budgets that allow them to plan and 
Funding and Staff set goals. However, they may also rely on a network of subordinate 

security specialists who work in other organizational units. 
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Practice 8: Enhance Staff 
Professionalism and Technical 
Skills 

Develop security managers into a cadre of respected specialists. Technical 
training and professional certification should be encouraged and kept 
current 

Implement Appropriate 
Policies and Related 
Controls 


Practice 9: Link Policies to 
Business Risks 

Policies and the controls to implement policies should flow directly fi’om 
risk assessments and, thus, be linked to business risks. Also, as risk 
factors change, policies and controls should be updated. 

Practice 10: Distinguish 

Between Policies and 

Guidelines 

Distinguishing between policies and guidelines provides flexibility for 
individual business units. However, high-risk operations are likely to 
require a more detailed set of mandatory policies and standards. 

Practice 11: Support Policies 
Through the Central Security 
Group 

Central groups can promote consistency in policy implementation by 
developing the related written documents, based on input from business 
managers, attorneys, and others, and by serving as the organizational focal 
point for policy questioirs. 


Promote Awareness 


Practice 12: Continually 
Educate Users and Others on 
Risks and Related Policies 


Practice 13: Use 
Attention-Getting and 
User-Friendly Techniques 


Awareness of both risks and policies should be vigorously promoted so 
that users understand the imporUsn *6 of complying with policies and 
controls. In particular, sensitizing employees and other users to risks can 
make users (1) think twice before revealing sensitive data and (2) more 
likely to notice and report suspicious activity. 

Various promotion techniques, such as intranet websites, awareness days, 
and posters can keep security in the forefront of users’ minds. Two 
effective techniques are customized briefings to individual business units 
£md videos featuring top organization executives promoting security as 
everyone’s responsibility. 
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Monitor and Evaluate 
Policy and Control 
Effectiveness 

Practice 14: Monitor Factors 
That Affect Risk and Indicate 
Security Effectiveness 


Practice 16: Use Results to 
Direct Future Efforts and Hold 
Managers Accountable 


Practice 16: Be Alert to New 
Monitoring Tools and 
Techniques 


Improved Security 
Depends on Broader 
Improvements to 
Information 
Technology 
Management 
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Managers should develop procedures for periodically evaluating the 
effectiveness of their informaUon security programs, paying closest 
attention to the controls associated with the most critic^ operations. 
Monitoring and evaluation efforts should focus primarily on 
(1) determining if controls are operating as intended and (2) evaluating the 
effectiveness of the security program in communicating policies, raising 
awareness levels, and reducing incidents. Testiirg controls, including 
penetration testmg, is an effective way to determine if policies and 
controls are operating effectively. Other types of mordtoring and 
evaluation activities include periodic reports on compliance with various 
policies, the number of inquiries from users, and the number and nature of 
security incidents reported. 

The full benefits of monitoring are not achieved unless results are reported 
to officials who can take any actions needed to improve the security 
program. Such action can include (1) reassessing previously identified 
risks, (2) identifying new problem areas, (3) reassessing the 
appropriateness of existirig controls and security-related activities, 

(4) identifying the need for new controls, (5) redirecting subsequent 
monitoring efforts, and (6) holding managers accountable for compliance. 
Effecting change and holding managers accountable generally requires 
involvement of an organization’s most senior executives. 

Because new technology is beirtg introduced at a fast pace, with related 
security controls often lagging behind, security specialists must keep 
abreast of information on new ri$ks and control techniques through 
professional organizations and literature. 


The risk management activities described in our executive guide and 
summarized above are likely to be most successful if implemented in the 
context of broader improvements to federal information technology 
maitagement Over the last few years, the Congress has enacted legislation 
that is prompting landmark reforms in this broader area. In particular, the 
Paperwork Eduction Act of 1995 and the Clinger-Cohen Act of 1996 
emphasize the need for agencies to apply information resources to 
effectively support agency missions and delivery of services to the public. 
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ITiese laws stress the importance of involving senior executives in 
information management decisions, appointing senior-level chief 
information officers, and using performance measures to assess the 
contribution of technology in achieving mission results. Both q>eciiy 
security as an a^>ect of information management that must be addressed. 
711686 broader iirformation management improvements are apt to improve 
security management because they prompt senior agency officials to take 
a more active role in managing their organizations’ use of information 
technology. Further, agencies may find this environment of reform 
conducive to rethinking their security programs and considering new 
practices. 


Conclusion 


Although existirrg federal guidance outlines basic security plaruiing and 
management requirements, many, if not most, of the reported weaknesses 
in agency information security controls can be traced to poor performance 
in this area. Good maruigement is essential to erasure that relied-upon 
controls are working effectively on a continuous basis. It is also important 
to help ensure that agencies promptly identify emerging risks and take full 
advantage of more sophisticated security controls as they become 
available. Our executive guide, which outlines the risk management 
practices employed by leading organizatioitf, provides a framework of 
solutions that supplement existing federal guidance and can assist 
agetrcies in stren^erring their marragement of this critical area. 
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Chapter 4 _ 

Centrally Directed Improvement Efforts 
Have Increased, but Most Have Not 
Progressed Beyond Planning Stage 


Several new govenunentwide effoita to improve federal information 
security have been initiated since we last reported on this topic in 
September 1996, such as the recent issuance of Presidential Decision 
Directive (pdd) 63 on critical infrastructure protection. Most of these 
efforts, however, had only recently been started and had not progressed 
far beyond the ptaiming stages at the close of our review. In Edition, 
while these efforts address some important information security problems, 
such as inadequate risk awareness and incident reporting capabilities, 
none provides a comprehensive strategy for adequate monitoring and 
oversight of agency performance in this area 

Federal agencies are primarily responsible for protecting their respective 
information resources, but govemmentwide leadership, coordination, and 
oversight are important to (1) ensure that federal executives understand 
the risks to their operations, (2) moiUtor agency performance in mitigating 
these risks, (3) ensure implementation of needed improvements, and 
(4) facilitate actions to resolve issues affecting multiple agencies. To help 
achieve this, the Paperwork Reduction Act of 1980 made omb responsible 
for developing information security policies and overseeing related agency 
practices. 

Since September 1996, omb has continued to review selected agency 
system-related projects and provide input through various federal task 
forces and working groups. These efforts were supplemented in late 1997 
when the cio Council, under omb’s leadership, designated information 
security as one of six priority areas and established a Security Committee. 
The Committee, in turn, has developed a preliminary plan and taken 
several actions primarily related to promoting awareness, planning for 
improving agency access to incident response services, and establishing 
links with other federal entities involved in security issues. However, 
neither omb nor the Council has developed a comprehensive strategy for 
ensuring that agency sec^uity programs are effective. 

More recently, in May 1998, pdd 63 was issued, which established several 
entities within the National Security Council, the Department of 
Cortunerce, and the Federal Bureau of Investigation to address critical 
infrastructure protection, including federal agency information 
mfrastructures. This directive specified several requirements related to 
evaluating and coordinating federal agency information security practices. 
However, at the close of our review in early August 1998, it was not clear 
how and when these new requirements would be implemented and how 
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they would be coordinated with existing requirements and with efforts 
underway at other federal entities. 


Previous 

Reconunendations 
Urged More Active 
Oversight 


In 1996, we reported that, although omb had improved federal guidance 
pertaining to information security, its oversight efforts were uneven, and it 
generally did not proactively attempt to identify and promote resolution of 
fUndamentai security program weaknesses that were likely to be at the 
root of reported deficiencies at individual agencies. Our report 
recommended that omb 

• take advantage of the wide range of information currently reported in 
financial statement audit reports and agency self-assessments to monitor 
agency compliance with omb’s guidance and the effectiveness of agency 
information sectuity programs, and 

• implement a program for increasing its program examiners' understanding 
of infoimation security management issues so that they can more readily 
identify and understand the implications of infoimation security 
weaknesses on agency programs. 

We also reconunended that omb promote the cio Council's (1) adoption of 
information security as one of its top priorities and (2) development of a 
strategic plan for increasing awareness of the importance of infoimation 
security, especially among senior agency executives, and improving 
information security program management govemmentwide. We 
suggested that the ao Council's strategic plan include plans for 

• developing Information on the existing security risks associated with 
nonclassified systems currently in use, 

• developing information on the risks associated with evolving practices, 
such as Internet use, 

• identifying best practices regarding information security programs so that 
they can be adopted by federal agencies, 

• establishing a pro^am for reviewing the adequacy of individual agency 
information security programs, 

• ensuring adequate review coverage of agency information security 
practices by considering the scope of various types of audits and reviews 
performed and acting to address any identified gaps in coverage, 

• developing or identifying training and certification programs that can be 
shared among agencies, and 

• identifying proven security tools and techniques. 
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The ao Council has begun to lay the groundwork for improvements in 
several areas, but has not developed a comprehensive strategy that 
identifies the most critical issues affecting federal information security 
and includes long-term goals and objectives, including annual performance 
goals. During 1997, the Council discussed various critical information 
management issues, and in late 1997, formally declared information 
security as one of six priority areas that will guide the Council’s activities. 
The stated goal for this area is to “ensure implementation of security 
practices within the Federal Government that gain pubUc confidence and 
protect Government service, privacy, and sensitive and national security 
information.” Two other priority areas—defiidng an interoperable 
architecture and improving information technology workforce skills—may 
also support security improvements^An interoperable federal computer 
systems architecture will make it easier to implement and manage security 
controls, and improving technical workiorce skills will help provide 
expertise needed to select and properly iniplement techidcal controls. 

To guide activities associated with its information security goal, the 
Council established the Security Committee, also in late 1997. Since then, 
the Committee has taken some steps to coordinate its plans with related 
activities at other federal entities and address some of the most prominent 
goverrunentwide problems associated with information security, such as 
insufficient awareness of risks, inadequate technical training, and poor 
incident response capabilities. 'Diese projects have been conducted during 
monthly meetings and by part-time efforts of individual committee 
members between meetings. Accomplishments as of August 1998 are 
described below. 


CIO Council Plans 
Focus on Solving 
Selected Crosscutting 
Problems 


Preliminary Strategic Plan Diuing late 1997, the Security Committee developed a preliminary 
Developed strategic plan, wtdch was incorporated into a larger strategic information 

technology management plan developed jointly by omb and the cio Council 
and issued in January 19^.' The information security segment of the plan 
includes three general objectives: promote awareness and traiiung, 
identity best practices, and address technology and resource issues. Under 
each of these objectives, three or four specific activities and related 
milestones are briefly Identified. Committee members told us that they 
expect to expand on this initial plan as the year progresses. 


'The Paperwork ReducUon Act requires OMB to annually submit a govemmentwlde infonnation 
technolocy plan to the Consreaa. The 1996 plan Is the fliat such plan jointly prepared by OMB and the 
CIOCounciL 
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EqNUtfion of the plan is important to help ensure that the many facets of 
this problem are identified, prioritized, and addressed efficient^ and 
effectively. Ideally, such a plan would Identfi^ the many policy, technical, 
legal, and human resource issues that affect federal information security 
and describe the various roles and activities of other federal entities 
involved in improving the protection of unclassified federal data. Such 
entities include, but are not limited to, nist, the National Security Agency, 
and the Government Information Technology Services Board. A 
description of the information security-related activities of omb's Office of 
Information and Regulatory Affairs, C^ce of Federal Fliumcial 
Management, and program examiners also would be useful. Further, the 
plan could Include long-term goals and objectives, including time frames, 
priorities, and expected accomplishments, and aimual performance goals. 

For example, to better coordiiuite agency activities, increase efficiency, 
and build on existing expertise, the plan could provide for identifying and 
.sharing individual agency solutions to common challenges, such as 
incident handling. Investigations, contingency platming, security plan 
development, virus protection, security awareness, and system 
architecture design. Related efforts could include, for ea^ functional 
area, 

• desigruUing an individual to serve as a focal point; 

< developing a consolidated e-mail directory for key agency persotmel; 

• identifying useful web sites and evaluation tools; 

• publicizing software and training aids and opportunities; and 

• reviewing, filtering, and distributing notices and advisories on software 
vulnerabilities, such as those issued by Camegie-Mellon University’s 
Computer Emergency Response Team. 

In addition to coordinating and optimizing the value of agency efforts, 
such a plan could help irtform agency managers about their information 
security responsibilities, maximize the value of audit results, and facilitate 
administration and Congressional oversight Fluther, it could provide 
support for the govemmentwide performance plan that omb is required to 
include in the president’s aruiual budget submission to the Congress under 
the Government Performance and Results Act The first govemmentwide 
performance plan and related ‘priority management objectives” were 
published in early 1998 as part of the President’s Fiscal Year 1999 Budget 
However, that plw provided few details on the administration’s strategy 
for addressing widespread deficiencies in federal information seciuify. 
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Efforts to Facilitate The Security Committee has established links with other federal entities 

Projects Sponsored by information security responsibilities, including nist aiKl the National 

Security Agettcy, requested briefings on other federally ^ruored 
information security efforts; and acted to support and facilitate these 
efforts. For example, in late 1997 and early 19^, the Committee explored 
ways to gain broader federal agency participation in FedCiRC, a program 
irUtiated by nist in 1996 to provide agencies a means of responding to 
computer security irM:idents. omb Circular A-130, Appendix m, requires 
agencies to have a capability to (1) help users when a security incident, 
such as a suspected system intrusion, occurs, (2) share information on 
common vulnerabilities and threats, and (3) assist in pursuing appropriate 
legal action. In May 1998, the Council took action on the Fedcmc i^ue by 
endorsing the Security Committee’s recommendation to shift sporuorship 
of FedCiRC to GSA and to change the funding mechanism. As of 
August 1998, the Council was developing detailed arrangements in 
anticipation of implementing the change at the start of fiscal year 1999. 

Other briefing topics at Security Committee meetings have included our 
study of information security management best practices, which is 
discussed in chapter 3, and the “Information Security Countermeasures 
Assessment Project," sponsored by the Air Force Research Laboratory. 
The latter is an effort to develop a better understanding of the 
effectiveness of administrative and technical measures for preventing 
security incidents. 


Security Awareness In February 1998, the Security Committee arranged for and held a security 

Seminar awareness semiiur to brief f^eral officials on information security risks. 

Speakers included representatives from the National Security Agency, nist, 
and private sector organizations who described the latest challenges to 
maintaining adequate security. The seminar was attended by about 80 
individuals—^primarily agency cio and federal agency information security 
officers. Comments from seminar attendees indicated that the program 
was a success and that more such programs addressing an expanded 
variety of topics would be welcome. 

The results of our recent study of information security management 
practices indicate that it would be valuable to expand the reach of such 
awareness seminars beyond agency cio offices to a broader audience of 
senior program executives. If program officials have a more thorough 
understanding of the information security risks to their operations and 
assets, they will be more likely to (1) encourage their staff to comply with 
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security requirements, (2) devote resources for security, and (3) make 
prudent decisions regarding the appropriate levels of protection needed. 


Oversight of Agencies 
Remains Limited 


Central oversight of the effectiveness of agency security programs is 
important because audit results indicate that agencies are not adequately 
identifying and addressing seciuity weaknesses on their own. One 
resource for such oversight is the large body of audit evidence that has 
become available in the last few years, primarily due to reviews of 
computer security controls performed as part of financial statement 
audits. Although, as discussed in chapter 2, comprehensive audits of 
computer security are not yet being performed at all agencies, analyses of 
these audit results and related reports could provide a starting point for 
measuring progress. The results can also be useful in identifying 
continuing problem areas and encouraging agency managers to take a 
more proactive role in identifying and addressing weaiknesses 
themselves—before the weaknesses are discovered and reported by 
auditors. 


A nuOor aspect of our previous recommendations that is not being 
addressed by either omb or the cio Council is establishing a more 
structured program for ensuring that agency security programs are 
adequately evaluated and the results used to measure performance and 
prompt improvement Minimum requirements for agency security 
programs are outlined in omb Circular A-i30, Appendix UI, “Security of 
Federal Automated Information Resources." Updated in February 1996, 
Appendix III requires agencies to assign responsibility for security, 
develop a system security plan, screen and train individual users, assess 
risk, plan for disasters and contingencies, and periodically review their 
seciuity safeguards. It also requires agencies to clearly define 
responsibilities and expected behavior for all individuals with access to 
automated systems and to implement security incident response and 
reporting capabilities. 


OMB’s Oversight Efforts 
Focus on Individual Issues 
and Projects 


omb's program examiners may consider information security during their 
broader review of an agency’s mission-related programs, generally, as part 
of their review of agency information technology investment plans. 
Program examiners are assisted in this area by policy analysts in omb’s 
Information Policy and Technology Branch. In addiUon to their o’vn 
specialized expertise, these policy analysts keep abreast of 
govemmentwide information security issues by interacting with other 
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federal entities such as the Federal Ck>mputer S^uriiy Managers Forum, 
the National Security Telecommunications and Irtformation Systems 
Security Committee, the Security Policy Board, and the National Security 
Telecommunications Advisory Committee. 

In 1996, we reported that few of the program examiners had significant 
experience or expertise in dealing with information systems or related 
security issues and most did not consider the effectiveness of an agency’s 
overall information security program. For this reason, in our 
September 1^ report, we recommended that omb implement a program 
for increasing its program examiners’ understanding of ird'ormation 
security management issues and of the related audit results that were 
available to them. 

Since then, officials in omb’s Information Policy and Technology Branch 
say that they have provided two specialized security trairdng sessions to 
program examiners and have continued to advise them on various 
security-related issues, such as the adequacy of system security plans, 
authentication, encryption, privacy of data and databases, and Internet 
and World Wide Web use. Agency projects cited as receiving attention 
pertaining to information seciuity since early 1997 include (1) dod’s 
Defense Messaging System, (2) the FBI’s National Crime Information 
Center irtformatlon sharing initiative, (3) encryption of online services at 
the Dlip^(Wents of EdupStion and the Interior and the Office of Personnel 
Managern^t:»ap4 <i*^^tical irrfrastructure protection issues at the 
Federal Aviation Administration and the Departments of Energy and 
Defense. 


While omb’s policy analysts and program examiners can provide valuable 
oversight of specific issues and projects, in light of the continuing reports 
of serious deficiencies, a more structured approach for measuring broader 
compliance with Circular A-130, Appendix III, and the effectiveness of 
agency security programs is needed. To be effective, such an approach 
must include comprehensive evaluations and tests of agency security 
programs at mryor agencies and reports at regular intervals that show 
improvements and deteriorations in program effectiveness. 

Much could be learned by analyzing the results that are already available 
from financial statement audits, as discussed in chapter 2. Also, 
agency-initiated assessments, required by both omb Circular A-130, 
Appendix III, and fwfta, can be a source of evaluation results. Periodic 


A More Comprehensive 
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Program Would Provide 
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evaluations initiated by agency management are an essential step in 
helping determine whether controls are effective, v^ch is an essential 
aspect of managing risk, as discussed in chapter 3. However, recent audits 
have identified numerous serious information security weaknesses that 
have apparently not been identified by agency managers and have not 
been reportid in annual reports to the President and the Ck)ngress, as 
required by mm. As a result, these reports are of limited value for 
oversight and, more importantly, agencies do not have the information 
they need to maixage their informaticm security risks. 

To assist agencies in reviewing their computer-based controls and 
supplement audit information that is alre^ available, omb or the cio 
Council could establish an independent cadre of experts to review critical 
areas of agency operations that are not being adequately evaluated. Such a 
cadre of experts could be created by drawing on the resources of many 
fedei^J agencies, as we suggested in our September 1996 report, or a 
specialized unit could be established at an agency that already has a 
relatively high degree of expertise, such as nist or the Nationid Security 
Agency. 

Regardless of how and by whom evaluations are conducted, results could 
be used to measure agency performance, identify recurring or 
longstanding problems, and identify gaps in audit coverage. For example, 
annual summary reports could be developed to show (1) the most 
commonly reported types of problems and (2) agencies where the same 
kiformation security weaknesses were identified for more than 1 year. 
More refined performance indicators could distinguish between 
weaknesses classified as “material weaknesses" and those considertKl 
“reportable conditions,” which are less serious than material weaknesses. 
These are standard classifications used in financial statement audit 
reports, omb and the cio Council could work with agency ics, through the 
President's Council on Integrity and Elfficiency, to develop other 
performance indicators. Such an aimual “report card” could highlight 
improvements in agency performance as well as provide agencies an 
additional incentive to avoid being designated as an organization with 
long-standing information security problems. 
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PDD 63 provides for additional central oversi^t of agency practices by the 
National Security Council in the Executive Office of the President 
However, at the close of our review in August 1998, it was too early to 
determine how these prmisioiu would be implemaited, how effective 
they would be, arul how they would be coordituded with ongoing efforts 
by the ao Council and othera 

In its October 1997 report, Critical Foundations: Protecting America's 
Infrastructures , the President’s Commission on Critical Infrastructure 
Protection recognized the need for improved oversight of agency security 
practices and recommended assigning responsibility for oversight of 
federal systems security to a proposed Office of National Infrastructure 
Assurance within the National S^urity CounciL As envisioned by the 
Commission, this Office would be given ‘overall program responsibility for 
infrastructure assurance matters, includirtg policy implementation, 
strategy development, federal interagency coordination, and liaison with 
state and local govenunents and the private sector.” 

On May 22,1998, pdd 63 established such an entity under the National 
Coordinator for Security, Infrastructure Protection and 
Counter-Terrorism, who is to report to the President through the Assistant 
to the President for National Security Affairs. This new entity, termed the 
Critical Infrastructure Coordiiution Group, is to be supported by a newly 
created Critical Infrastructure Assurance Office within the Department of 
Commerce. 

The pdd addresses a range of luuional infrastructure protection issues and 
includes several provisions intended to ensure that critical federal 
computer, or ‘cyber-based," systems are protected from attacks by our 
tuition's enemies. !^>eciflcally, it states thid "the Federal Government shall 
serve as a model to the private sector on how infrastructure assurance is 
best achieved” and that federal department and agency aos shall be 
responsible for irdbrmation assurance. Although details are not provided, 
the Diiective requires each department and agency to develop a plan 
within 180 days from the issuance of the Directive in May 19M for 
protecting its own critical infrastructure, including its cyber-based 
systems. The Critical Infrastructure Coordination Group is thoi to sponsor 
an “expert review process” for those plans. Other key provisions related to 
the security of federal information systems include 

a review of existing federal, state, and local bodies charged with 
information assurance tasks; 
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• enhanced coUectimi and analysis of information on the foreign 
iitformation warfare threat to our critical infrastructures; 

• establishment of a Natiorud Infrastructure Protection Center within the 
Federal Biueau of Investigation to facilitate and coordinate the federal 
government’s investigation and response to attacks on its critical 
irrfrastructures; 

• assessments of U. S. Government systems’ susceptibility to interception 
and exploitation; and 

• incorporation of agency ir\frastructure assurance functions in agency 
strategic platming and performance measurement frameworks. 

Several of these provisions appear to overlap with existing requirements 
prescribed in the Paperwork Reduction Act of 1980, omb Circidar A-130, 
Appendix m, the Computer Security Act, the CUnger-Cohen Act, and the 
Federal Managers’ Financial Integrity Act In addition, some of pdd 63’s 
objectives are similar to objectives being addressed by other federal 
entities, such as development of the PedciRC program by nist and the cio 
Council. 'The relationship among these requirements and existing efforts 
had not been clarified at the conclusion of our review. 


Conclusion 


Since September 1996, the need for improved federal information security 
has received increased visibility and attention. However, central oversight 
has remained limited and a comprehensive strategy has not been 
developed. As a result, many aspects of the recommendations we ttrade in 
September 1996 are still applicable. ’The ao Council’s efforts during late 
1997 and the first half of 1998, as well as issuance of pdd 63 in May 1998, 
indicate tliat senior federal ofiOdals are increasingly concerned about 
information security risks, both to federal operations as well as to 
privately-controlled national infrastructures, and are now moving to 
address these concerns. Coordinated efforts throughout the federal 
community, as envisioned by pdd 63, will be needed to successfully 
accomplish the objectives of these efforts and substantively improve 
federal information security. It is especially important that a 
goveunmentwide strategy be developed that clearly defines and 
coordinates the roles of new and existing federal entities in order to avoid 
inar<propriate duplication of effort and ensure governmentwide 
cooperation and support 


Reconunendation 


Accordingly, we recommend that the Director of the Office of 
Management and Budget and the Assistant to the President for National 
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Security AflUra ensure that the various existing and newly initiated efforts 
to improve federal infomuUion security are coordinated under a 
comprehettsive strategy. Such a strategy should 

• ensure that executive agencies are carrying out the responsibilities 
outlined in laws ntui regulations requiring them to protect the security of 
their information resources; 

• clearly delineate the roles of the various federal orgardzations with 
re^KMisibllities related to federal information security; 

• identify and rank the most significant information security issues facing 
federal agencies; 

• promote information security risk awareness among senior agency 
officials whose critical operations rely on automated systems; 

• identiiy aiwl promote provor secxirity tools, techniques, and management 
best practices; 

• ensure the adequacy of information technology workforce skills; 

• ensure that the security of both fbundalarkliKmfLnancial systems is 
adequately evaluated on a regular basis; 

• include longterm goals aini objectives, including time frames, priorities, 
arul annual performance goals; and 

• provide fcHT periodically evaluating ageivcy performaiKe from a 
goverrunen^de perfective and acting to address shortfalls. 


Agency Comments 
and Our Evaluation 


In commenting on a draft of this report, omb’s Acting Deputy Director for 
Maruigement stated that OMB and the CIO Council, working with the 
National Security CouiKil, have developed a plan to address the pdd 63 
provision that the federal goverrunent serve as a model for critical 
infrastructure protection and to coordinate the new requirements of the 
POD with the existing requirements of the various laws pertaining to 
federal information security. The comments further stated that the plan is 
to develop and p.omote a process by which government agencies can 
(i) identify and assess their existing seciuity posture, (2) implement 
sefrity best practices, and (3) set in motion a process of continued 
maintenance. Also described are plans for a cio Council-sponsored 
interagency security assist team that will review agency security programs. 
Regarding our conclusion that many aspects of the recommendations in 
our September 1996 report are stiU applicable, omb reiterated its concern 
that the 1996 report’s “overemphasis on omb’s role could distract program 
managers in the Federal agencies from their primary reqionsibillty for 
assuring irtformation security.” 
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OMB’s comments indicate that it, the cio CkHincil, and the National Security 
Council are moving to coordiiute their responsibilities and beginning to 
develop the comprehensive strategy that is needed. Based on the 
description provided, the plans being^iaveloped include several key 
elements, most notably a means of evaluating agency performance. These 
plans were still being firudized at the close of our work and were not yet 
available for our review. Accordingly, we are not able to comment on their 
content, scope, and detail, or whether they will be effective in improving 
federal Information security. 

Regarding omb’s concern that we have overemphasized its role, we agree 
that agency managers are primarily responsible for the security of their 
operations. Increased attention and support from central oversight, if done 
effectively, should not distract agerrdes fn>m their responsibilities in this 
area. On the contrary, active oversight of agency performance is more 
likely to have the effect of emphasizing the agency numagers' 
accountability and providing more visibility for agencies that are achieving 
their information assurance goals as well as those that are falling short 
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GAO Reports on Information Security Issued 
Since March-X996 
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the products conikir>ed sentitJv* Mormaiiort. 

VA Infomuttiori Systems: Ck)tnputer Control Weaknesses Increase Risk of 
FYtud, Misuse Vnd Imptxjper Disclosure (GA(VAlMi>t«-i76, September 23, 
1998)7 J 

FAA Systems: Serious Challenges Remain in Resolving Year 2000 and 
j Xk)mputer Security Problems (GAtvr-AiMDM-ssi, August 6,1998). 

Air Tragic Ck)ntrol: Weak Computer Security Practices Jeopardize Flight 
S«fety (GA<VAlMDeft-i66, Mey 18,1998). 

Computer Security: Pervaalve, Serious Weaknesses Jeopardize State 
Department Operations (OAtVAMOea-iss, May 18,1998). 

Executive Guide: Information Security Management Learning From 
Leading Organizations (GA(VAmi>aMS, May 1998). 

U.S. Government Financial Statements: Results of gap’s Fiscal Year 1997 
Audit (GA(yr-AiMD-9»-i28, April 1,1998). 

Financial Audit- Examination of IRS* Fiscal Year 1996 Custodial Financial 
Statements (GAO/AiMi>as-i8, December 24,1997). 


Financial Management Review of the Military Retirement Trust Flmd's 
Actuarial Model and Related Computer Controls (gao/aim[>. 07 .i 28 , 
September 9,1907). 

Financial Audit: Fbcamlnation of IRS* Fiscal Year 1996 Administrative 
FliuuKlal Statements (CAtVAiiiDaTae, August 29,1997). 

Small Business Administratlotf Better Planning and Controls Needed for 
Information Systems (GA(yAiMi>« 7 -M, June 27,1997). 

Social Security Admirdstraiioa- Internet Access to Personal Earnings and 
Benefits Information (GA(yr-Aai{yHEHS47-i23, May 6,1997). 

Budget Process: Comments on S.261—BieruUal Budgetiitg and 
Appropriations Act (GA(yr-AiMi>«7-B4, April 23,1997). 
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IRS Systema Security and Funding: Er ployee Browsing Not Being 
Addressed Effectively and Budget R^uests for New Systems Development 
Not Justified (GACyr AiMD^- 82 , April l6,1&97). 

IRS Systenvs Security Tax Processing Operations and Data Still at Risk 
Due to Serious Weaknesses (gao/t aimivw-t#, April 10,1997). 

IRS Systems Security: Tax Processing Operations and Data Still at Risk 
Due to Serious Weaknesses (OA(yAiMM7-i9, April 8, 1997). 

High Risk Series: Irtfonnatioit Management artd Technology (OAomR- 97 . 8 , 
February 1997). 

Irtformation Security: Opporturdties for Improved omb Oversight of Agency 
Practices (GACVAmoae-iio, September 24,1996). 

Fltrancial Audit Examirratiorr of IRS’ Fiscal Year 199S Financial 
Statements (gao/aimd-86-ioi, July 11,1996). 

Tax Systems Modenrlzation: Actions Underway But IRS Has Not Yet 
Corrected Maiugement and Technical Weaknesses (GACVAiMD^ioe, June 7, 
1996). 

Irxformation Security: Computer Hacker Irtformation Available on the 
Internet (GAOiT-AiMim-ioe, June 6,1996). 

Irxformation Security: Computer Attacks at Department of Defense Pose 
Increasing Risks (GAO/AiMD-seat, May 22,1996). 

Itxformation Security: Computer Attacks at Department of Defense Pose 
Increasing Risks (GA(yr-AiMD4)&«2, May 22,1996). 

Security Weaknesses at IRS' CyberfUe Data Center (GAtVAiMimssR, May 9, 
1996). 

Tax SysteiTxs ModetTxization: Marxagement and Technical Weaknesses Must 
Be Overcome To Achieve Success (GAOT-AWDae-TS, March 26,1996). 
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- Appendix II _ 

Agency Reports Issued Since September 
1996 Tliat Identify Information Security 
Weaknesses 


Department of Health and Human Services Accountability Report Fiscal 
Year 1997 (April 1998). 

Report on the Fitumcial Statement Audit of the Health Care Financing 
AdministraUon for Rscal Year 1997 (A-17.97-00097, April 24,1998). 

Report on the Department of Health and Human Services Consolidated 
Financial Statements for Fiscal Year 1997 (A-17-98-00001, April 1,1998). 

Department of the Treasury’s Inspector General Report Report on the U.S. 
Customs Service’s Fiscal Years 1997 and 1996 Financial Statements 
(OIG-9aO50, March 5,1998). 

Audit of the Extent to Which USAID’s Financial Management System 
Meets Requirements Identified in the Federal Financial Management 
Improvement Act of 1996 (OIG-A-000-98-003-P, March 2, 1998). 

Report on USAID’s Financial Statements, Internal Controls, and 
Compliance for Fiscal Years 1997 and 1996 {OIG-0-000-98-001-F, March 2, 
1998). 

EPA’s Fscal Year 1997 and 1996 Financial Statements Audit Report 
(E1AML7-20-7008-8100058, March 2, 1998). 

NASA Data C enter General Controls, Johnson Space Center (ig-96W)5, 
January 29,1998). 

Federal Managers’ Financial Integrity Act Report, Fiscal Year 1997 
(USAID, December 31,1997). 

EPA 1997 Integrity Act Report to the President and Congress 
(EPA-20^R-98^2, December 19, 1997). 

Social Security Accountability Report for Fiscal Year 1997, (ssa Pub. No. 
31-231, November 1997). 

^^ral and Application Controls Over the Mechanization of Cont ract 
Administration Services System (DODIG, Report Number 98-007, 

October 9, 1997). 

Audit of USAID’s Compliance with Federal Computer Security 
Requirements (OIG-A-000-97-008-P, September 30,1997). 
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Audit of the Status of USAID’s New Management System (NMS) 
(OIG-A^97-010-P, September 30,1997). 

Audit of the Internal Controls for the Operational New Management 
System (OIG-A-000-97-009-P, September 30,1997). 

NASA Data Center General Controls, Marshall Space Flight Center 
(ig-97-039, September 30,1997). 

Eh'aluation of the Social Security Administration’s Back-up and Recoveiy 
Testing of Its Automated Systems (ssa/OIG-A- 13-97-12014, September 24, 
1997). 

U.S. Department of Justice Annual Financial Statement for Fiscal Year 
1996 (DOJ/OIG-97-24B, September 1997). 

Report on the Financial Statement Audit of the Department of Health and 
Human Services for Fiscal Year 1996 (A-17-964X)01, August 29,1997). 

NASA Data Center Facility, Langley Research Center (ig-97-035, August 28, 
1997). 

U.S. Department of Education Fiscal Years 1996 and 1996 Financial 
Statements and Accompanying Notes (Price Waterhouse, LLP, July 31, 
1997). 

Physical Security at Ames Research Center’s NAS Facility (ig-97-030, 

July 18,1997). 

Audit of USAID’s Efforts to Resolve the Year 2000 Problem 
(OIG-A-000-97-005-P, July 11,1997). 

Department of the Treasury’s Inspector General Report Audit of the 
Bureau of Alcohol, Tobacco and Firearms Fiscal Years 1996 and 1995 
Financial Statements (OIG-97-094, July 9,1997). 

The Royalty Management Program’s Automated Information Systems, 
Minerals Management Service (DOI/OIG-97-H042, July 1997). 

Review of Physical Security at the Social Security Administration’s 
National Computer Center (ssa/OIG-A- 13-96-11046, June 26,1997).- 
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Audit of OPM’s Benefit Programa Fiscal Year 1996 FlnancM Stotementa • 
Management Letter (Tnuumltted to OPM's OIG on June 26,1997). 

Review of the Back-up and Recovery Procedures at the National Computer 
Center (ssa/OIG-A-13-96-11052, June 19,1997). 


Audit of OPM’s Benefit Programs Fiscal Year 1996 Financial Statements 
(Transmitted to the Director, 0PM, on June 17,1997). 

General Services Administration, Fiscal Year 1996 Management Letter 
Comments and Suggestions for Consideration (OIG-A62709, June 10, 
1997). 

Audit of Security Controls at the Hines Benefits Delivery Center, 
Department of Veterans Affairs, Office of Inspector General (Report 
Number 7D2-G07-062, May 13,1997). 

Audit of SBA’s FY 1996 Financial Statements - Marragement Letter 
(SBA/OIG-7-6-H-00&015, April 29,1997). 

Audit of the U.S. Department of Housing and Urban Development’s Fiscal 
Year 1996 Financial Statements (Case Number 97-PO-177-0003, April 10, 
1997). 

Report on the Department of Trarrsportation Fiscal Year 1996 
Consolidated Financial Statement (Report Number AD-OT-7-004, April 10, 
1997). 

Federal Emergency Management Agency Management Letter for the Year 
EInded September 30,1996 (April 4,1997). 

General Controls Over Automated Information Systems, Operations 
Service Center, Bureau of Indian Affairs (DOI/OIG-97-I-'^l, April 1997). 

Department of the TYeasury’s Inspector General Report Report on the U.S. 
Customs Service’s Fiscal Years 1996 and 1995 Financial Statements 
(OIG-07-054, March 31,1997). 

NSPs Fiscal Year 1996 Management Letter Report (OIG-97-2110, March 31, 
1997). 


PaseM 


QAIVAIIID-M-SI Pedml UforauUioM Sccvity 











196 


II 

AgMcy l«p«fta lM*t4 81»c« SapUater 
IVM Tkat Maatiiy ialbnaatlas Sacwltjr 
WcakMMM 


Review of CA-TOP SECRET Access Control Software 
(ssa/OIG-A- 13-95-00606, March 18,1997). 

Department of Commerce’s Consolidating Financial Statements for Fiscal 
Year 1996 (OIG-FSD-9355-7-0001, March 1,1997). 

Department of Commerce Economic Development Administration 
Financial Statements for Fiscal Year 1996 (OIG-FSC-8837-7-0001, March 1, 
1997). 

Department of Conunerce International Trade Administration Financial 
Statements for Fiscal Year 1996 (OIG-FSC-8838-7-0001, March 1, 1997). 

Department of Commerce National Oceanic and Atmospheric 
Admmistration Financial Statements for Fiscal Year 19% 

(OIG-F’SC-8841-7-0001, March 1,1997). 

Maitrftrame Computer Policies and Procedures, Administrative Service 
Center, Bureau of Reclamation (DOI/OlG-97-1-683, March 1997). 

U.S. Environmental F*rotection Agency FT 1996 Audited Financial 
Statements (March 1997). 

Audit of SBA’s FT 1996 Financial Statements (SBA/OIG-7-6-H-006-010, 
February 28,1997). 

Auditor’s Reports on NSPs Fiscal Year 1996 Flrumcial Statements , 
(Transmitted to the Chairman, NSF, on February 28,1997). 

U.S. Department of Labor Consolidated Financial Statement Audit for 
Fiscal Years 1995 and 1996 (DOL/OIG-12-97-005-13-001, February 28,1997). 

Reports on USAID’s Financial Statements, Internal Controls, and 
Compliance for Fiscal Year 1996 (OIG-OO00-97-(X)l-C, February 24,1997). 

Department of Veterans Affairs Annual Accountability Report for Fiscal 
Year 1996 (February 14,1997). 

U.S. Department of Energy Consolidated Financial Statements for Fiscal 
Year 1996 (February 1997). 

Management Letter to the Administrator of NASA (January 31,1997). 
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Affw^hin 

bMftd Mam 8#plHiikiir 

1»M HM MMMUy laUMMtto* iMWttr 


Secretary's Annual Sutement and Report, Federal Managers* Fining 
Integrity Act, U.S. Department of the Treasury 1996 (De^mber 30,1996). 

Report on Applying Agreed-Upon Procedures to the Internal Controls over 
the Federal Fbundal System, Fiscal Year Ended September 30,1996 
O^CADIG, November 26.19M). 

‘ General Control Environment of the Federal Flrumctal System at the 
Reston General Purpose Computer Center, U. S. Geological Survey 

(DOI/OIG-97-l>96, October 1996). 

Interim Report on the Status of USAID’s New Marmgement System 
(OIG-A-00(>-964X)1-S, September 27,1996). 

Department of Health aiKl Human Services Accountability Report- Fiscal 
Year 1996 . 

Department of State Consolidated FIrumcial Statements for Fiscal Year 
1996 . 

Financial Statements Fiscal Year 1996, Office of Personnel Marmgement 

Natlotral Aeronautics and Space Administration Fiscal Year 1996 
Accountability Report 
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Appendix in _ 

Comments From the Office of Management 
and Budget 


CXeCUTIVE OTFICC OF THE PRESIDENT 
OFFICt OF MANAOIMtNT AND SUDOET 

wAAHiHaTON. oc loaoa 
Scptanbcr 14,1991 


The Haoottblc Gene L. Dodtro 
A*sijttnt Comptroller Cacnl 
U.S. Oeaeitl Accotmdng OfBcc 
WMhuwiOD. OC 2054t 

DewMr. Dodwo: 

Theok you for the opportunity to cotninc&l oa your dnft report entitled, Informtion 
Security: Sen/xM Wa.lrnM.>. Pl«f> rriiicl F>A^I OneutiOM ind Atvit el Rirk 
(OAO/AlMD-9t-92). The report's principal findings Ughlight many of the security challenges 
that arc CKing Federal ageodea and other otganizalioru as they increasingly itly^op 
interconnected laformatioo systems for the conduct of agency business. The Office of 
Management and Budget (0MB) and the CIO Council have recognized these challenges, and, 
as the report acknowledges, have undertaken a number of initiatives to address them. Thednft 
report also highlights the roquireroents of Presidential Deciskw Directive 6) which requires, 
among other things, that the Federal government serve as a model for critical infrastructure 
protection. 

0MB and the CIO Council, working with the Natiocial Security Council, have developed 
a plan to address that chatge and coordinate the new requirements of the POD with the existing 
requirements of the Computer Security Act, Paperwork Reductioo Act, and Clinger-Cohen AcL 
Our plan, which Is haegraied with the CIO Council Security Committee's strategic plao, is to 
develop and promote a process by which government agencies can; I) identily and assess their 
existing security posture; 2) impkmeot security best practices to assure program improvement 
and effectiveness: and,)) set in motion a process of oootimied maiatcnance. Cooedinatioo of 
these effortt will come pfimatily from the CIO Council and the Prestdenfs Management Council, 
both co-cbaiied by OMB. 

At part of this process, the CIO Council will sponsor an inter-agency security assist team 
that will ptrfcrm independem and confidential reviews of agency security programs. As agency 
needs diotaie, there reviews will include top-level program reviews for cWotmance to OMB 
Ciicular A-130, Appendix III and GAO’S executive guide, Infbnnatioo Seewity Management: 
Learning from Lc^ng Organizationa,' and system-specific reviews to evaluate conformance 
with the Computer Security Handbook issued by the National lostihiie of Stan^lards and 
Technology. Each review will also include relive system interdependency analysis mi 
penetration iMtiag. At OAO hat found, among the chicfbcnefiuofpeiietration testing is the 
way it vividly da iw n s tr s tes to agency managers the msdequacies of seemingly secure systems 
and programs. 
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AMHMttsIU 

Cwumtt Ftmh A* OOm of HuMfMMit 
Hi4B«40*t 


TIm (i««M dMOkofe IP «niitBeii( fatlbcntfioii lecwity pfocrtott ind dev*lopii 4 ■ 
««finMe iaftiMroctun pfoteetion pnifnn U to cniun tte ptoieoioa dliora an'‘o«neir by 
Ibe pngram md buHiun nMMtcn at the occack* wbo m •ocouotable for ibe woccH of (heir 
aaiin pfognm. inehidiag MMriiy. Thia aanntial appect ww u Ddan co nd ia OAO’i Exacative 
Ouida. By worUi^tbnugbtfaaaOCkradl and lhePiefidcac'fMaaa«a(M Council. ««wUl 
baabhtoImpnvaoo nrdIn a rtflB ofaecurity t a qMw men to aadlinkiacutityme aauwa iobuaiaeai 
riaki and agency mianoo. la Ifaia way aeeurity pfogtama will auppon, no< nalrict, niaaioa 
a c oo m pli a hatant 

The draft report alao kataa that addle federaltalcnnarioo aecuflty haa recaivad inc r e aa ed 
viaibility and aReotioa aiaoa Scpaaaaber 1996, camal ovaraight lemaina limited and a 
conprabanaiveacratagy baa not been developed. Hm draft dnia ooochidea tbal maaiy Mpecta of 
the raooaatandatiaaa oada in OAO’a 1996 rapoct, "liifamMina 

Inwnved OMB Ovenipht at A««ev /n AfVAIun.O«. 11 ft\ »».i. We 

reiieraie in part the laaponae aw niade aa that tiate, i.e., *Tha oantral ibniat oftbe ITMRA la to 
fainaaaa the authority, reeponaibaity. and accouatabUity of Federal igendea for the nian ag e i nea t 
ofibairinfonnationreaoutoea. Uhimaiely we an concerned that the leport’a oveacmplttaia on 
OMB'a role could diatract program managera in tba Federal agcadea ftom their prhnary 
raapooaibility for aaauriag infotaMlion aecurity.** 

On the rhaft laport'a noommeodatioa to 0MB and the NSC that tba ‘Varioiia »vM»i«g 
m)i newly in i t iaaBd (via P0D43) efforta to improve fodatai laformalion aecurity am ooordiaaled 
undar a ooraptehenaiva ttrategy." aw we coeftdent that the ao Council’a alial^ plan u well 
ae the plan oftheCouneil’a aecurity oo mn a it tee along with the eflbrta we have deacribed above 
addreae that rec ommtw datiog 

Siaoanly, 


0. Edward DeScve 
Actiag Deputy Dincaor 
ftrr Management 
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Appendix IV __ 

Mgjor Contributors to This Report 


Accounting and 
Information 
Management Division, 
Washington, D.C. 


Jean H. Boltz, Assistant Director, (202) 512-6247 

Ronald W. Beers, Assistant Director 

Darrell L Heim, Assistant Director 

Carol A. Langelier, Assistant Director 

Crawford L Thompson, Assistant Director 

Gregory C. Wilshusen, Assistant Director 

Gary R. Austin, Senior Information Systems Analyst 

Kirk J. Daubei\speck, Senior Information Systems Analyst 

Elmest A. Ddring, Se^or Evaluator 

Michael W. Gilmore, Senior Information Systems Analyst 

William F. Wadsworth, Senior Information Systems Analyst 


AUanta Field Office ® 


Dallas Field Office 


David W. Irvin, Assistant Director 
Debra M. Cotmer, Senior EDP Auditor 
Shannon Q. Cross, Senior Evaluator 
William H. Thompson, Senior Evaluator 
Charles M. Vrabel, Senior EDP Auditor 
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